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ABSTRACT 

The  Nuclear  Regulatory  Commission’s  (NRC)  steady  progress  towards  risk-informed 
performance-based  regulation  (RIPBR)  prompted  the  practical  application  of  this 
regulatory  tool  in  order  to  demonstrate  its  potential  benefits.  This  practical  demonstration 
makes  up  one  part  of  an  Idaho  National  Engineering  and  Environmental  Laboratory 
(INEEL)  sponsored  project  entitled  Integrated  Models,  Data  Bases  and  Practices  Needed 
for  Performance-Based  Safety  Regulation.  Project  members  selected  the  emergency 
diesel  generator  system  as  a  candidate  for  assessment  because  of  its  high  risk  importance 
for  core  damage  frequency  (CDF)  as  well  as  for  its  failure  to  exhibit  fulfillment  of  its 
current  maintenance  objectives. 

An  analysis  of  current  NRC  maintenance  and  inspection  requirements  of  the 
emergency  diesel  generators  at  the  Millstone  3  nuclear  power  plant  was  performed  by  the 
project  members.  Maintenance  and  inspection  items  identified  as  unnecessary  or  harmful 
to  the  EDG  qualified  as  candidates  for  removal  from  the  current  surveillance  schedule. 
Expert  testimony  and  comparisons  with  similar  non-nuclear  utility  industries  aided  in  the 
identification  of  candidate  items. 

Calculations  of  the  subsequent  risk,  reliability,  safety,  and  economic  implications 
revealed  several  benefits  of  the  inspection  alterations.  The  modified  inspection  provided 
improved  backup  power  availability  and  defense  in  depth  during  the  refueling  outage.  A 
sensitivity  analysis  performed  on  the  EDG  basic  events  affected  by  inspection  alteration 
showed  that  a  50%  reduction  in  these  basic  event  failure  rates  would  decrease  the  EDG 
system  failure  probability  by  13.9%.  The  altered  inspection  also  shortens  the  plant’s 
refueling  outage  critical  path  therefore  decreasing  the  risk  of  fuel  damage  and  improving 
the  risk  profile  of  the  plant  outage.  Transfer  of  the  revised  inspection  to  performance 
while  the  plant  is  operating  at  power  resulted  in  identical  refueling  outage  benefits. 
Performance  of  the  inspection  at  power  requires  an  increase  in  the  allowed  outage  time 
(AOT)  of  the  plant.  The  subsequent  rise  in  core  damage  frequency  due  to  the  increased 
AOT  is  considered  negligible. 
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Chapter  1  ~  Introduction 

1.1  General 

Emergency  diesel  generators  (EDGs)  perform  an  essential  safety  function  in  every 
nuclear  power  plant  in  the  United  States.  As  the  centerpiece  of  the  emergency  power 
system,  they  provide  a  redundant  source  of  electricity  to  vital  safety  equipment  in  the 
event  of  a  loss  of  offsite  power. 

The  failure  of  a  generator  to  start  and  run  could  have  far-reaching  effects;  in 
extreme  cases,  core  damage  or  even  the  loss  of  human  life.  In  order  to  ensure  that  the 
generators  and  their  support  systems  are  capable  of  performing  their  safety  function, 
diesel  operators  subject  the  EDGs  to  numerous  mandatory  tests  and  inspections.  The 
United  States  Nuclear  Regulatory  Commission  (NRC)  established  these  surveillances  in 
order  to  ensure  that  the  generators  have  sufficient  reliability  to  maintain  the  risk  of  core' 
damage  at  an  acceptable  low  value. 

A  recent  study  performed  by  the  Idaho  National  Engineering  and  Environmental 
Laboratory  (INEEL)  [1]  considered  the  EDG  power  system  reliability  at  length.  This 
study  indicated  that  a  particular  EDG  inspection  performed  during  the  refueling  outage 
was  most  likely  degrading  the  reliability  of  diesels  utilized  by  nuclear  utilities.  That  EDG 
inspection  is  the  focus  of  this  report. 
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This  report  presents  an  alternative  EDG  inspection  that  replaces  the  current 
detrimental  inspection.  Improved  reliability  of  the  EDG,  improved  plant  safety  and 
enhanced  plant  risk  are  all  benefits  of  adoption  of  the  new  inspection. 

1.2  Background 

In  recent  years,  the  United  States  Nuclear  Regulatory  Commission  (NRC)  and  the 
nuclear  utilities  have  recognized  that  the  continual  improvement  of  probabilistic  risk 
assessment  (PRA)  methodology  has  justified  an  increase  in  its  use  as  a  regulatory  tool. 

The  NRC  now  encourages  the  application  of  PRA  and  associated  analyses  in  order  to 
reduce  unnecessary  conservatism  associated  with  regulatory  guides,  requirements  and 
license  commitments. 

The  NRC  now  encourages  a  risk-informed  approach  to  decision-making  where 
utilities  propose  regulation  based  on  underlying  engineering  principles  and  an  assessment 
of  the  impact  of  proposed  changes  on  the  plant  design.  Risk  insights  and  assessments  of 
the  change  in  plant  risk  then  complement  this  assessment.  The  NRC  terms  this  process 
risk-informed,  performance-based  regulation  (RIPBR). 

The  RIPBR  application  process  is  a  three-step  process  initially  requiring  a 
detailed  description  of  the  change  and  its  rationale.  The  second  step  requires  an  extensive 
two-part  engineering  evaluation  of  the  change.  The  engineering  evaluation  begins  with  a 
traditional  deterministic  evaluation  that  proves  that  the  utility  satisfies  current  regulations 
and  meets  requirements  for  conservatism  and  defense  in  depth.  The  second  part  of  the 
engineering  evaluation  requires  the  utility  to  perform  a  probabilistic  risk  evaluation  of  the 
change.  The  results  of  this  evaluation  must  show  that  the  proposed  change  is  beneficial 
to  plant  risk  or  negligibly  detrimental.  Once  the  utility  completes  the  engineering 
evaluation,  it  must  formulate  a  plan  for  monitoring  the  implementation  of  the  change  and 
ensure  that  the  associated  performance  goals  will  be  still  be  met  [2]. 

The  NRC  is  currently  working  with  several  volunteer  utility  companies  on  various 
RIPBR  pilot  projects.  These  projects  include  modification  of  technical  specifications, 
alteration  of  allowed  equipment  outage  times,  in-service  inspections  and  graded  quality 
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assurance.  These  pilot  projects  should  reveal  if  the  NRC  move  towards  utilization  of 
RIPER  enhances  the  operational  safety  of  nuclear  power  plants.  RIPER  is  the  basic 
strategy  used  throughout  this  work  to  analyze  the  EDG  inspection  alteration  at  our 
cooperating  project  utility,  Millstone  Unit  3  (MP-3). 

1.3  Thesis  Objective  and  Method  of  Investigation 

Develop  an  improved  refueling  outage  inspection  for  emergency  diesel  generators 
through  application  of  risk-informed,  performance-based  regulation  methodology. 

The  first  step  in  the  development  of  the  strategy  for  diesel  generator  performance 
improvement  was  to  gain  a  comprehensive  understanding  of  EDGs  and  their  use.  We 
performed  an  extensive  study  of  the  history,  manufacturer,  hardware,  and  operation  of  the 
EDGs  at  Millstone  3.  We  used  this  information,  along  with  expert  judgment  provided  by 
the  engineers  at  Millstone  3,  to  alter  the  EDG  refueling  outage  inspection.  This  alteration 
included  the  elimination  or  periodicity  extension  of  several  items  with  the  overall 
outcome  being  a  shortened,  more  efficient  inspection  that  is  less  intrusive  to  the  diesel 
and  reduces  the  opportunity  for  human-induced  failures. 

Professional  insight  and  nuclear  EDG  history  were  not  the  only  influences  on  the 
final  streamlined  inspection.  This  report  also  relied  upon  the  expertise  of  non-nuclear 
industry  uses  of  emergency  diesel  generators.  Chapter  5  presents  the  expert  input 
provided  by  the  Federal  Aviation  Administration,  the  United  States  Navy,  and  civilian 
hospitals. 

Jeffrey  Dulik,  another  participant  in  this  study,  also  influenced  the  final  form  of 
the  inspection.  He  researched  monitoring  and  sensing  equipment  that  could  replace  or 
possibly  enhance  specific  inspection  items  [3]. 

Once  the  final  form  of  the  inspection  is  established,  there  are  two  possibilities  for 
the  application  of  the  new  inspection.  The  first  option  is  to  continue  to  perform  the 
inspection  during  the  refueling  outage.  Chapter  6  presents  this  option  and  the  associated 
risk  benefits  of  the  strategy.  A  shortened  inspection  has  a  measurable  impact  on  the 
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critical  path  of  the  power  plant  during  its  outage.  We  measure  this  impact  in  terms  of  the 
hours  required  to  perform  it.  We  present  the  associated  economic  benefits  later  in  this 
report.  A  shortened  inspection  also  reduces  the  probability  of  fuel  damage  during  the 
reftieling  outage.  Chapter  6  discusses  this  impaet  at  length. 

The  second  option  is  to  perform  the  remaining  inspection  while  the  plant  is 
operating  at  power.  Chapter  7  shows  that  this  change  would  reduce  the  refueling  outage 
critical  path  duration  and  the  probability  of  fuel  damage  during  the  refueling  outage.  This 
change  increases  the  eore  damage  frequency  while  the  plant  is  operating  and  the 
inspection  is  being  performed.  However,  the  resulting  rise  in  risk  is  negligibly  small 
aeeording  to  standards  set  by  the  NRC  and  Eleetrieal  Power  Research  Institute  (EPRI) 

[2, 4]. 

Chapter  8  contains  a  discussion  of  the  resulting  economic  and  safety  benefits  of 
the  proposed  changes.  The  final  results  of  this  study  demonstrate  the  significant  safety  as 
well  as  economic  benefits  of  the  altered  inspection. 

1.4  Terminology 

This  report  utilizes  terminology  that  is  standard  within  the  nuclear  industry 
whenever  possible.  The  following  defined  terms  provide  additional  clarity: 

•  Allowed  Outage  Time  fAOTi  --  The  maximum  allowed  time  out  of  service  for 
equipment  while  the  plant  is  operating  at  power.  The  value  of  this  requirement  is  set 
by  the  NRC  and  is  different  for  each  plant. 

•  Critical  Path  --  For  a  refueling  outage,  the  sequence  of  operations  that  must  be 
performed  serially;  these  critical  equipment  outages  prevent  the  plant  from  returning 
to  an  operational  full  power  status. 

•  Defense  in  Depth  TDIDt  —  The  principle  of  requiring  redundaney  in  equipment  and 
procedures,  so  that  failure  of  a  single  component  or  procedural  step  does  not  cause  an 
vmdesired  consequence. 

•  Infant  Mortality  --  A  period  of  high  equipment  failure  rate  following  the  introduction 
of  the  equipment  into  service. 
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•  Prnhabilistic  T?islc  Assessment  TPRA^  --  A  systematic  method  for  transforming 
knowledge  of  basic  events  in  a  plant  and  their  occurrence  frequencies  into 
corresponding  integrated  system  risk  profiles. 

•  Risk-informed,  performance-based  regulation  (RIPBR^  -  An  approach  to  decision¬ 
making  based  on  an  assessment  of  the  engineering  impact  of  proposed  nuclear  power 
plant  equipment  and  procedural  changes  and  their  associated  impact  on  plant  risk. 

•  Surveillance  -  A  planned  maintenance  or  test  performed  to  meet  either  regulatory 
requirements  or  performed  voluntarily  for  investment  protection  of  the  plant. 
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Chapter  2  —  Literature  Search 


2.1  General 

This  section  summarizes  the  literature  search  performed  on  the  historical  path  of 
PRA  that  eventually  led  to  the  research  performed  in  this  work.  This  search  is  divided 
into  two  parts:  documents  dealing  with  PRA  history  and  its  application,  and  documents 
dealing  with  EDG  performance  and  improvement. 

2.2  PRA 

WASH-1400  [5],  the  reactor  safety  study  completed  in  1974,  is  the  definitive 
document  upon  which  all  nuclear  PRA  work  has  been  subsequently  based.  Sponsored  by 
the  United  States  Atomic  Energy  Commission,  WASH- 1400  is  the  initial  (extensive)  risk 
assessment  of  nuclear  power  plants  that  outlines  a  series  of  seven  tasks  (see  Figure  2.1). 
Performance  of  these  tasks  revealed  that  the  predominant  risk  in  a  nuclear  power  plant  is 
that  of  a  radioactive  fission  product  release.  The  report  identified  the  reactor  cooling 
system  as  the  subsystem  whose  failure  initiates  this  risk  making  the  cooling  system  the 
critical  portion  of  the  plant. 
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Figure  2.1  WASH- 1400  Seven  Task  Assessment  [6] 

Although  the  technical  results  of  WASH- 1400  were  not  fully  accepted  by  nuclear 
industry  professionals  and  government  officials  at  the  time  of  its  release,  this  document  is 
important  because  it  established  the  systematic  method  for  transforming  initiating  events 
into  risk  profiles  that  we  today  term  PRA.  Many  non-nuclear  industries  have  watched  the 
evolution  of  nuclear  PRA  with  interest  because  most  aspects  of  nuclear  PRA,  with 
suitable  alterations,  apply  to  other  fields. 

The  latest  format  of  nuclear  PRA  studies  consists  of  a  five  step  process  as 
outlined  in  the  NRC  document  NUREG-1 150.  These  steps,  outlined  in  Figure  2.2,  are 
very  similar  to  the  original  seven  tasks  in  WASH- 1400. 


Accident-Frequency 

Ac  cident-P  r  o  gr  e  ssi  on 

Source-Term 

Offsite  G  onsequence 

Risk 

Analysis 

Analysis 

Analysis 

Analysis 

Calculation 

Figure  2.2  Schematic  Diagram  of  Modem  PRA  Calculational  Sequence  [6] 


New  advancements  and  sophisticated  models  have  prompted  the  NRC 
increasingly  to  adopt  PRA  technology  as  a  tool  in  regulatory  decision  making.  The  NRC 
recently  issued  the  1995  Probabilistic  Risk  Assessment  Policy  Statement  [7]  which  along 
with  the  PRA  Implementation  Plan  [8]  is  intended  to  add  PRA  to  the  set  of  tools  used  by 
the  agency.  The  NRC  now  requires  that  a  plant-specific  PRA  be  submitted  by  each 
power  plant  licensee.  This  PRA  fulfills  the  plants'  obligations  under  the  Individual  Plant 
Examination  and  the  Individual  Plant  Examinats-Extemal  Events  programs.  These 
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reports  are  currently  being  evaluated  by  the  NRC  staff  in  order  to  identify  individual  plant 
risk  vulnerabilities. 

Leading  this  move  towards  increased  utilization  of  PRA  is  the  NRC  Chairman, 

Dr.  Shirley  A.  Jackson.  She  also  has  endorsed  the  use  of  RIPBR,  and  in  1996,  she 
subsequently  directed  the  NRC  staff  to  reconstruct  its  Standard  Review  Plan  and  to  issue 
corresponding  Regulatory  Guides  for  the  aid  of  licensees  attempting  to  incorporate 
RIPBR  into  their  PRA  analysis.  The  result  of  this  directive  was  the  November  1996 
issuance  of  DG-1061,  an  NRC  draft  regulatory  guide  promoting  the  use  of  PRA  for 
making  plant-specific,  risk-informed  permanent  current  licensing  basis  (CLB)  changes 

[9]. 

In  February  of  1997,  the  NRC  issued  an  additional  draft  regulatory  guide  that 
describes  an  acceptable  approach  for  applying  risk-informed  methods  to  Technical 
Specifications.  This  guide,  DG-1605  (Revision  5),  specifically  addresses  changes  to 
plant  allowed  outage  times  (AOTs)  and  surveillance  test  intervals  (STI)  [10].  Also 
delivered  in  February  were  the  RIPBR  Standard  Review  Plan  revisions  [1 1]. 

2.3  Emergency  Diesel  Generator 

Despite  the  long  history  of  EDG  use  in  nuclear  power  plants,  the  nuclear  industry 
produced  no  significant  reports  concerning  the  reliability  and  performance  of  nuclear 
diesels  until  the  1980s.  NUREG/CR-2989,  Reliability  of  Emergency  AC  Power  Systems 
at  Nuclear  Power  Plants  [12],  was  the  first  major  report  to  address  the  reliability  of 
EDGs.  This  report  addressed  the  reliability  of  the  on-site  ac  power  system  as  it  relates  to 
the  expected  frequency  of  station  blackout.  In  1986,  the  Nuclear  Science  Advisory 
Committee  produced  a  report  entitled  The  Reliability  of  Emergency  Diesel  Generators  at 
US  Nuclear  Power  Plants  [13]  which  also  addressed  the  reliability  of  EDGs  although  its 
evaluation  methods  conflicted  with  those  used  in  NUREG/CR-2989.  In  the  late  1980s, 
the  Electric  Power  Research  Institute  produced  a  report  on  EDGs  that  specifically 
addressed  monitoring  and  diagnostic  techniques  that  could  improve  nuclear  EDG 
reliability  [14]. 


16 


As  the  use  of  PRA  began  to  expand  in  the  early  1990s,  the  NRC  Office  for 
Analysis  and  Evaluation  of  Operational  Data  (AEOD)  undertook  an  effort  to  ensure  that 
expanded  PRA  use  could  be  implemented  in  a  consistent  and  predictable  manner.  To 
achieve  this  goal,  AEOD  initiated  a  review  of  the  functional  reliability  of  risk-important 
systems  in  nuclear  power  plants.  One  system  chosen  for  performance  evaluation  was  the 
EDO  power  system.  This  evaluation  resulted  in  INEL-95/0035,  Emergency  Diesel 
Generator  Power  System  Reliability.  1987-1993,  which  was  produced  by  Idaho  National 
Engineering  and  Environmental  Laboratory  (INEL)  [1].  This  study  looked  at  the 
reliability  of  EDGs  in  44  plants  using  actual  operating  experience  under  conditions 
similar  to  those  experienced  during  an  actual  loss  of  offsite  power. 

2.4  Conclusion 

Although  the  NRC  rejected  WASH-1400  in  1974,  the  conclusion  that  the  reactor 
cooling  system  was  the  largest  risk  contributor  to  fission  product  release  was  not 
incorrect.  In  fact,  the  cooling  system  is  still  the  largest  risk  contributor  in  most  plants 
today.  Since  EDGs  are  responsible  for  powering  the  cooling  system  and  all  other  safety 
systems  in  case  of  a  loss  of  offsite  power,  they  themselves  are  a  large  contributor  to  risk. 
With  the  increased  use  of  PRA,  it  is  not  surprising  that  INEL  was  asked  to  look  at  EDG 
reliability  in  depth. 

The  INEL  report,  along  with  recent  NRC  PRA  documents,  form  the  basis  for  a 
project  entitled  Integrated  Models,  Data  Bases  and  Practices  Needed  for  Performance- 
Based  Safety  Regulation.  Part  of  this  project  involves  the  application  of  PRA  to  specific 
EDG  reliability  issues  identified  by  the  INEL  report.  One  such  issue  identified  by  the 
authors  of  the  INEL  document  was  the  intrusive  inspection  performed  on  the  EDG  during 
the  refueling  outage. 

The  work  in  this  report  looks  at  the  EDG  refueling  outage  inspection  in  depth  and 
proposes  changes  through  the  application  of  PRA  as  a  result  of  the  author’s  involvement 
with  the  project  on  Integrate  Models,  Data  Bases  and  Practices  Needed  for  Performance- 
Based  Safety  Regulation. 
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Chapter  3  --  The  Millstone  3  EDG  System 

3.1  Introduction 

In  order  to  propose  steps  for  reliability  improvement  of  the  diesel,  we  must  first 
present  a  complete  illustration  of  current  EDG  requirements  and  performance  issues.  The 
current  EDG  inspection  requirements  are  necessarily  complex  and  rigorous  in  order  to 
ensure  that  nuclear  safety  goals  are  met.  However,  this  complexity  has  in  some  instances 
resulted  in  inspection  processes  that  have  structural  weaknesses  and  inspection 
requirements  that  produce  no  apparent  benefit  [15].  In  some  cases,  these  inspection 
requirements  result  in  a  degradation  of  the  reliability  and  performance  of  the  diesel. 

3.2  General  Description 

The  Millstone  3  (MP-3)  plant  utilizes  a  typical  emergency  power  supply  design 
that  consists  of  two  independent  emergency  power  supply  trains  connected  to  separate 
emergency  diesel  generators.  Most  safety  systems  employ  a  similar  redundant 
combination  in  order  to  safeguard  against  failure  of  single  component  systems.  Table  3.1 
summarizes  the  vital  parameters  of  the  two  identical  EDGs  utilized  at  MP-3.  Each  of  the 
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Manufacturer 

Colt-Pielstick 

Number  of  Cylinders 

14 

Operating  Cycle 

4-stroke 

Rating 

4.16  kV 

3  phase 

60  Hz 

Capacity 

4,986  kW  (continuous) 
5,335  kW  (2000  hour) 

Table  3.1  MP-3  Emergency  Diesel  Generator  Parameters 

EDGs  is  capable  of  starting  automatically  and  accelerating  to  rated  speed  and  subsequent 
loading  of  all  safety  and  essential  shutdown  loads  within  a  minimum  time  interval  (for 
MP-3,  this  time  interval  is  eleven  seconds).  In  the  case  of  an  emergency  power  demand, 
one  operable  EDG  is  sufficient  to  handle  all  safety  loads  [16].  _ . 


Figure  3.1  Emergency  Diesel  Generator  System 


Each  EDG  has  independent  support  systems  to  further  utilize  redundancy  and 
minimize  the  occurrence  of  common  cause  failures.  A  schematic  of  one  of  the  EDGs  and 
its  many  subsystems  is  illustrated  in  Figure  3.1.  The  dashed  line  represents  the  boundary 
of  the  system  and  demonstrates  that  most  of  the  support  systems  are  internal  to  the  EDG 
system. 

3.3  Testing  and  Inspection  Requirements 

The  primary  function  of  the  diesels  at  MP-3  is  to  supply  power  to  the  plant  safety 
systems  in  the  event  of  a  loss  of  offsite  power.  These  safety  systems  are  vital  loads 
needed  to  maintain  the  plant  at  a  safe  condition  until  offsite  sources  restore  power  to' the 
utility.  The  NRC  requires  MP-3  to  periodically  test  the  generators  and  related  support 
systems  to  ensure  that  the  EDGs  can  perform  this  vital  safety  role.  These  tests  primarily 
consist  of  periodic  time-based  runs  of  the  diesel  that  demonstrate  the  ability  of  the 
generator  to  fulfill  its  designed  load  and  response  criteria.  These  tests  also  provide  a 
means  to  track  and  demonstrate  the  reliability  of  the  EDG  to  ensure  that  it  has  a  small 
effect  on  the  core  damage  frequency  (CDF)  of  the  plant. 

In  addition  to  the  periodic  test  runs,  the  NRC  also  requires  specific  maintenance 
to  be  performed  on  each  EDG.  Each  maintenance  requirement  routinely  includes  some 
sort  of  inspection,  visual  or  otherwise,  to  be  performed  in  conjunction  with  the  periodic 
maintenance.  These  numerous  tests,  maintenance  plans,  and  inspections  are  outlined  by 
the  NRC  in  the  Technical  Specifications(TS)  of  MP-3  [17],  a  pertinent  excerpt  of  which 
can  be  found  in  Appendix  A. 

3.3.1  MP-3  Technical  Specification  4.8.1. 1.2.g.l 

This  project  deals  specifically  with  Technical  Specification  4.8.1.1.2.g.l  which 
requires  that  each  diesel  be  subjected  to  an  inspection  recommended  by  the  manufacturer 
of  the  EDG.  MP-3  must  perform  this  inspection  on  each  of  its  diesels  during  the  plant's 
refueling  outage.  This  corresponds  to  inspection  frequency  of  once  every  18  months. 
Appendix  B  contains  the  Colt-Pielstick  maintenance  instructions  for  standby  diesels  that 
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form  the  basis  for  all  diesel  maintenance  performed  at  MP-3  [17].  Table  3.2  contains  the 
section  dealing  specifically  with  the  refueling  outage  inspection  (ROI)  [16]. 


2  Remove  and  check  injection  nozzles  for  operation  and  opening  pressure. 

3.  Remove,  disassemble,  clean  and  repair  all  air  start  valves  and  air  start  distributors.  Clean/replace  air 
start  distributor  filter. 

4  Drain  and  refill  governor  and  turbochargers  with  approved  oil. 

5  Drain,  flush  and  refill  outboard  bearing  with  approved  oil. 

6  Check  tightness  on  all  foundation,  block  to  base,  oil  and  water  line  bolts. 

7.  Check  sample  ofrocker  lube  oil  for  condition  and  contaminants. 

8.  Check  turbocharger  inlet  casing  and  turbo  casing  water  passages  for  scale.  The  inside  surface  of  these 
casings  is  the  best  indication  for  adequacy  of  water  treatment. 

9.  Check  for  tighmess  of  exhaust  manifold  flange  bolts  to  cylinder  head  (165-195  ft.lbs.). 

10.  Check  all  safety  and  shutdown  controls  for  appropriate  pressures  and  temperatures. 

11.  Borescope  all  cylinder  liners. 

12.  Inspect  the  crankcase  end  of  all  cylinder  liners. 

13.  Check  main  bearing  cap  tightness  and  side  bolts.  Alternately  confirm  cap  tightness  to  frame  and 
saddle  to  .0015  feeler  gauge. 

14.  Visually  examine  gear  train  and  drives,  cam  shafts  and  bearings,  push  rods  and  rocker  arms. 

15.  Check  crankshaft  alignment  and  bearing  clearances. 

16.  Check  connecting  rod  bearing  clearances  with  feeler  gauges. 

17.  Inspect  all  ledges  and  comers  in  crankcase  for  debris  which  could  indicate  other  mechanical 
problems.  Confirm  all  cotters,  safety  wire  and  lock  tabs  are  in  place  and  tight. 

19.  Check  alternator  coils  and  poles  for  indication  of  movement  (visual). 

20.  Drain  and  refill  alternator  bearing  lube  sump.  If  oil  has  contaminates,  pull  bearing  cap  and  inspect 
journal. 

21.  Inspect  and  clean  (if  required)  overspeed  trip  mechanism.  Check  operation  according  to  overspeed 
trip  test  instructions. 

Table  3.2  Colt-Pielstick  Aimual/Refuel  Inspection  Items 


Millstone  3  has  written  two  plant-specific  maintenance  procedure  guides  based  on 
the  recommendations  of  Colt-Pielstick.  The  first  guide.  Production  Maintenance  Diesel 
Generator  Mechanical  Maintenance  (MP  3720CB)  [18],  is  a  general  maintenance  guide 
that  contains  weekly,  monthly,  annual,  and  refueling  outage  inspection  and  maintenance 
items.  The  second  document,  Emergency  Diesel  Generator  Surveillance  Inspection  (SP 
3712K)  [19],  is  a  detailed  disassembly  inspection  guideline  and  checklist  for  the  ROI. 
Although  these  two  guidelines  both  contain  specific  refueling  outage  inspection  items, 
they  remain  separated  because  of  the  different  emphasis  of  the  documents. 
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Both  of  these  documents  contain  inspection  and  maintenance  items  that  are  not 
required  by  Colt-Pielstick  but  were  determined  by  MP-3  to  be  beneficial  to  the  individual 
EDGs.  For  this  reason,  this  project  will  focus  only  on  the  items  listed  in  Table  3.2  as 
these  are  items  required  of  MP-3  regardless  of  the  benefit  or  detriment  which  these  items 
may  have  on  the  diesels. 

3.4  Conduct  of  Inspection 

MP-3  performs  extensive  detailed  plaiming  prior  to  each  refueling  outage  at  the 
utility.  The  diesels  are  an  integral  part  of  the  outage  plan  and  must  be  taken  out  of 
service  in  such  a  way  as  to  minimize  their  impact  on  the  critical  path  of  the  plant  yet  at 
the  same  time  ensure  that  an  appropriate  amount  of  defense  in  depth  is  maintained.  The 
last  planned  refueling  outage  that  took  place  at  MP-3  began  in  April  of  1995.  We  present 
the  1995  outage  in  order  to  illustrate  the  planning  and  execution  of  the  ROI  at  MP-3. 

3.4.1  Electrical  Power  Supply  Outage  Schedule 

Figure  3.2  is  a  reproduction  of  the  planned  electrical  power  supply  outage  strategy 
utilized  by  MP-3  to  carry  out  required  maintenance  and  testing  of  all  electrical  systems. 
This  outage  schedule  is  in  the  form  of  a  time  bar  chart  which  is  a  typical  format  for 
outage  planning  utilized  throughout  the  nuclear  industry.  At  the  top  of  the  chart,  the 
months  of  April  and  May  are  broken  up  into  weeks  so  that  the  approximate  starting  day 
and  time  of  each  outage  can  be  quickly  determined.  A  time  bar  indicating  the  length  of 

each  shutdown  in  hours  represents  each  scheduled  equipment  outage.  The  “  D  = _ 

symbol  gives  the  approximate  time  that  MP-3  expects  each  item  to  be  out  of  service 
(OOS).  Exact  start  dates  and  times  of  the  outages  are  indicated  to  the  left  of  each  bar 
while  the  ending  dates  and  times  are  indicated  to  the  right  of  each  bar. 

The  far  right  hand  side  of  the  chart  gives  a  brief  description  of  the  equipment  that 
is  unavailable  during  each  time  period.  The  three  main  equipment  categories  that  the 
electrical  power  supply  outage  schedule  cover  are  electrical  buses,  transmission  systems, 
and  the  EDGs.  There  are  three  transformers  that  appear  in  this  schedule.  They  include 
the  normal  station  transformer  (NSST),  the  ‘A’  reserve  station  transformer  (A  RSST)  and 
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the  ‘B’  reserve  station  transformer  (B  RSST).  The  NSST  is  the  normal  source  of  offsite 
power  at  the  plant  while  the  ‘A’  and  ‘B’  RSSTs  provide  a  backup  source  of  power  in  the 
event  that  the  normal  power  transformer  is  unavailable. 

The  electrical  power  supply  outage  schedule  includes  numerous  bus  outages. 
However,  only  two  of  the  bus  outages  affect  the  ability  of  the  EDGs  to  supply  power  in 
the  case  of  a  loss  of  offsite  power.  The  two  buses  in  question  are  bus  34  B/D  and 
bus  34  C.  We  address  the  impact  of  these  two  buses  on  the  EDGs  later  in  this  report. 

The  outage  schedule  shows  that  MP-3  scheduled  each  EDG  outage  in  1995  for 
approximately  170  hours,  or  approximately  seven  days.  EDG  outages  must  not  overlap 
since  one  diesel  must  be  available  at  all  times  in  case  of  a  loss  of  offsite  power.  This 
results  in  a  total  diesel  outage  time  of  340  hours.  Numerous  EDG  tests  occur  during  this 
outage  time  but  the  bulk  of  the  time  is  taken  up  with  the  ROI.  ]^-3  allocates 
approximately  120  of  the  170  hours  of  each  outage  to  the  ROI  for  a  total  outage  time  due 
to  both  ROIs  of  240  to  250  hours. 

The  MP-3  diesel  maintenance  engineer  utilizes  the  chart  in  Figure  3.2  as  a  general 
guideline  for  the  conduct  of  the  EDG  outage.  In  addition  to  this,  he  uses  a  much  more 
complex  bar  chart  that  details  the  allotted  time  for  each  test  and  individual  inspection 
item.  The  MP-3  diesel  maintenance  engineer  uses  both  of  these  plans  as  guidance 
throughout  the  refueling  outage  but  is  also  required  to  produce  real  time  or  “as  built”  bar 
charts  that  detail  the  actual  timeline  for  each  inspection  item  and  the  overall  conduct  of 
the  diesel  outage. 

3.4.2  Inspection  Team  Makeup 

The  MP-3  diesel  maintenance  engineer  conducts  the  actual  ROI  with  the  aid  of 
four  to  five  workers  at  any  one  time.  Typically,  two  of  these  workers  are  the  regular 
diesel  operators  while  the  remaining  laborers  axe  general  mechanics  temporarily  brought 
in  from  other  parts  of  the  plant.  These  workers  usually  operate  continuously  in  two  shifts 
so  that  there  are  a  total  of  eight  to  ten  workers  carrying  out  the  inspection  and 
maintenance  [21]. 
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In  addition  to  the  MP-3  employees,  a  Colt  factory  representative  must  be  present 
throughout  the  entire  ROI.  The  Colt  representative  is  responsible  for  evaluating  the 
condition  of  the  engine  and  ensuring  that  all  MP-3  workers  perform  all  inspection  items. 
They  are  additionally  responsible  for  reviewing  all  Colt  Service  Information  Letters  [22] 
with  the  maintenance  engineer.  These  letters  detail  problems  that  have  occurred  in 
similar  Colt  diesels  since  their  manufacture  and  provide  strategies  for  preventing  similar 

occurrences  in  MP-3  diesels. 

3.5  The  ROI  Dilemma 

The  current  EDO  refueling  outage  inspection  has  frustrated  diesel  operators  and 
engineers  for  several  years.  In  regulatory  documents,  the  ROI  is  termed  an  “inspection 
and  at  worse,  a  “disassembly  inspection.”  In  practice,  however,  those  tasked  with 
carrying  out  the  inspection  refer  to  it  more  aptly  as  a  teardown.  It  is  a  time-consuming, 
intrusive  process  that  leaves  the  diesel  vulnerable  to  human  error  and  exposes  the  plant  to 

unnecessary  safety  degradation  [15, 20]. 

The  root  of  the  problem  is  simple;  the  diesels  used  at  nuclear  power  plants  to 
provide  backup  power  were  not  designed  for  that  use.  Manufacturers  designed  these 
diesels  mainly  for  marine  operation  in  which  they  operate  for  extended  penods  of  time 
with  heavy  loads.  Overhauls  of  these  diesels  typically  occur  after  logging  hours  in  the 
thousands  to  tens  of  thousands  range.  The  operators  of  these  diesels  perform  overhauls 
to  identify  worn  and  degraded  parts  resulting  from  extended  operation.  Nuclear  utilities, 
by  contrast,  usually  perform  diesel  overhauls  after  only  approximately  one  hundred  hours 

of  use. 

It  is  easy  to  understand  why  this  has  happened.  When  MP-3  and  the  NRC 
established  the  Technical  Specifications,  the  authors  most  likely  acknowledged  that  the 
EDGs  would  not  log  the  hours  typically  required  for  a  major  overhaul.  However,  both 
parties  considered  overhauls  a  necessary  part  of  a  comprehensive  maintenance  program. 
Instead  of  requiring  a  minimum  number  of  hours  of  operation  before  overhaul,  a  time 
constraint  was  chosen  by  the  TS  authors  as  a  convenient  alternative.  This  move  is  similar 
to  an  automobile  warrantee  -  3  years  or  30,000  miles.  In  order  to  make  the  overhaul  of 
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the  diesel  compatible  with  the  operating  cycle  of  the  power  plant,  the  overhaul  frequency 
was  matched  to  the  refueling  cycle.  MP-3  most  likely  adopted  this  policy  based  on  the 
belief  that  the  plant  was  less  vulnerable  to  reactor  fuel  damage  during  the  refueling  period 
and  therefore  the  need  for  an  EDG  was  reduced  [15]. 

The  utilities  established  the  overhaul  requirements  at  a  time  when  the  plants  had 
little  operational  history.  Today’s  on-line  monitoring  systems  and  techniques  were  not 
available  to  diesel  operators.  Regulators  established  strict  deterministic  guidelines  with  a 
great  deal  of  built-in  conservatism  and  inflexibility.  However,  today’s  more  systematic, 
performance-oriented  regulatory  climate  has  prompted  evaluation  of  the  current 
regulations,  which,  in  the  case  of  the  EDG,  have  been  found  to  be  lacking. 

The  authors  of  the  INEL  report  on  EDG  reliability  felt  that  there  was  a  general 
trend  of  over-testing  and  over-inspecting  the  diesel  which  the  operational  history  of  the 
EDGs  did  not  warrant  [15].  The  overhaul  inspections  were  not  finding  the  wear  and  tear 
on  diesel  parts  that  the  regulators  designed  them  to  find.  Instead,  they  found  that  these 
inspections  were  an  avenue  in  which  human  errors  might  induce  immediate  or  latent 
failures.  Other  failures  may  be  introduced  through  non-human  means  such  as  the 
warpage  of  parts  upon  removal.  The  immediate  failures,  which  contribute  to  the  infant 
mortality  rate  of  the  EDG,  were  not  well  documented  by  diesel  operators  but  rather  were 
related  to  the  authors  through  numerous  anecdotes.  Experts  explained  the  reason  for  this 
lack  of  documentation  as  a  result  of  a  grace  period  that  the  utility  gives  to  the  diesel 
operators  at  the  completion  of  the  ROI.  This  policy  allows  operators  to  run  the  diesel  to 
ensure  its  operability  before  the  commencement  of  recorded  testing.  The  diesel  operators 
and  the  NRC  do  not  consider  failures  that  occur  during  the  trial  run  to  be  recordable  [21]. 

An  additional  concern  addressed  in  the  INEEL  report  was  the  omission  of 
maintenance  out  of  service  (MOOS)  demands  as  failures  when  determining  a  plant’s 
ability  to  meet  its  EDG  safety  goals.  A  MOOS  failure  occurs  when  there  is  a  real  demand 
on  the  diesel  during  a  loss  of  offsite  power  event  and  the  diesel  is  unavailable  to  operate 
because  it  is  being  inspected  or  having  maintenance  performed.  In  order  to  avoid  the 
danger  that  this  situation  implies,  utilities  have  traditionally  performed  the  overhaul 
during  plant  shutdowns.  However,  it  has  become  widely  recognized  that  the  times  of 
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greatest  plant  risk  may  not  be  those  when  the  plant  is  operating  at  high  power.  Rather, 
when  a  plant  is  undergoing  refueling,  its  vulnerability  for  reactor  fuel  damage  due  to  fuel 
cooling  failures  may  be  considerably  greater  than  when  at  high  power.  This  is  because  of 
the  greater  complexity  of  plant  configuration  control  --  with  an  attendant  increase  in 
human  error  probabilities,  and  because  of  reduced  redundancy  in  accomplishing  the  fiiel 
cooling  functions.  The  requirements  for  EDG  intrusive  inspections  exacerbate  the 
possibilities  of  such  cooling  failures  during  refueling  outages  and  may  actually  increase 
plant  fuel  damage  risks.  Reduced  inspection  requirements  would  reduce  this  concern 

[1, 15]. 

There  are  structural  problems  with  the  ROI  as  well.  The  required  presence  of  the 
Colt  representative  results  in  a  difficult  dilemma  for  the  EDG  system  team  at  MP-3.  The 
NRC  requires  only  that  MP-3  carry  out  those  inspection  items  deemed  necessary  by  the 
manufacturer.  Document  SP  3712K  outlines  the  inspection  stating  specifically  that 
“Inspection  items  may  be  altered  or  deleted  if  sufficient  justification  warrants  the  change 
as  judged  by  the  Colt  representative  and  the  MP-3  maintenance  engineer  [19].” 

According  to  the  MP-3  maintenance  engineer,  this  rarely  happens  in  practice.  If  any  part 
of  the  inspection  is  eliminated  or  shortened  by  MP-3,  this  in  turn  shortens  the  time  that 
the  Colt-Pielstick  representative  is  needed  as  a  consultant  at  MP-3.  A  termination  of 
inspection  items  might  also  result  in  a  smaller  demand  for  Colt-Pielstick  manufactured 
replacement  parts.  These  reasons  provide  a  possible  explanation  for  the  impasse  in 
adjusting  the  set  of  required  inspections  experienced  in  MP-3  and  other  plants  [21]. 

In  summary,  consensus  exists  among  those  persons  who  operate,  inspect  and 
evaluate  the  EDG  that  the  utilities,  with  the  cooperation  of  the  NRC,  need  to  improve  or 
even  eliminate  the  current  overhaul  requirements.  They  cause  far  too  frequent  invasion 
of  the  equipment  which  often  results  in  failures  caused  by  human  error.  The  outage  time 
associated  with  the  ROI  is  significant  and  unnecessarily  increases  the  probability  of 
damage  to  the  reactor  fuel  due  to  the  EDG  being  unavailable  for  service.  The  ROI  was 
established  at  a  time  when  there  was  no  operational  history.  However,  today’s  experience 
and  insight  demonstrate  the  diesel  ROI  can  and  should  change  accordingly. 
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Chapter  4  -  ROI  Improvement  Proposal  Based  on  Nuclear 
Industry  Expert  Opinion 

4.1  Introduction 

The  present  ROI  contains  both  structural  and  operational  problems  that  can 
benefit  from  change.  In  order  to  develop  an  improved  ROI,  we  used  the  expert  opinion  of 
the  diesel  engineer  at  MP-3  to  assess  each  inspection  item.  The  compilation  of  his 
suggestions  and  recommendations  result  in  a  streamlined  version  of  the  original  ROI. 

The  abbreviated  inspection  emphasizes  non-intrusive  practices,  engine  analysis,  and 
improved  human  oversight. 

4.2  Structural  Change 

The  first  step  in  the  improvement  of  the  performance  of  the  diesel  involves 
removal  of  barriers  that  currently  inhibit  change.  Currently,  the  main  barrier  to  alteration 
of  the  ROI  is  the  power  which  TS  4.8.1.1.2.g.l  affords  the  manufacturer  of  the  EDO.  No 
change  can  take  place  in  the  ROI  unless  the  manufacturer,  whom  MP-3  pays  to  oversee 
the  ROI,  approves  of  the  alteration.  This  results  in  an  obvious  conflict  of  interest. 

Alteration  of  this  fundamental  structural  problem  can  only  take  place  through  a 
change  in  the  Technical  Specification.  This  report  justifies  inspection  alteration  through 
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the  presentation  of  the  numerous  risk  and  safety  benefits  that  an  altered  ROI  will  produce. 
A  formulation  of  an  alternative  structure  for  the  administration  of  this  TS  is  not  the  focus 
of  this  work.  However,  we  discuss  possible  options  in  Chapter  10  as  a  starting  point  for 
future  work  in  this  area. 

4.3  ROI  Assessment 

Identification  of  those  parts  of  the  ROI  that  do  not  benefit  the  EDO  at  MP-3  is  a 
crucial  step  in  the  alteration  of  the  inspection.  We  accomplished  this  identification 
process  through  a  series  of  interviews  with  the  MP-3  diesel  maintenance  engineer  [21]. 
The  maintenance  engineer  has  an  extensive  knowledge  of  the  engine  past  performance 
history  as  he  has  been  responsible  for  the  diesel  maintenance  since  the  plant  start  up.  He 
has  conducted  EDO  inspections  through  five  refueling  outages  and  is  currently  involved 
with  proposing  changes  to  the  ROI  in  conjunction  with  the  EDG  owner’s  group. 

The  diesel  engineer  carefully  reviewed  each  of  the  twenty  inspection  items  before 
issuing  an  opinion  on  the  best  way  to  improve  the  individued  requirements.  In  order  to 
determine  the  best  option  for  each  requirement,  the  diesel  engineer  answered  the 
following  questions: 

1)  What  is  the  purpose  of  this  item? 

2)  Does  this  requirement  accomplish  its  purpose? 

3)  Is  the  requirement  excessively  intrusive  to  the  diesel? 

4)  Could  this  item  be  eliminated? 

5)  Could  this  inspection  item  be  improved  or  replaced  with  the  aid  of 
monitoring? 

6)  Could  this  inspection  item  benefit  from  periodicity  extension? 

Each  of  these  questions  hits  on  a  key  aspect  for  improvement  of  the  performance  of  the 
diesel. 

4.3.1  Individual  Requirement  Purpose 

The  first  two  questions  concerning  the  purpose  of  each  requirement  ascertain  the 
fundamental  goal  of  each  inspection  item.  If  an  inspection  item  is  not  accomplishing  its 
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purpose,  there  is  no  reason  to  continue  carrying  out  the  item.  Unnecessary  items  are  time 
consuming  and  provide  needless  avenues  for  human  error  introduction.  Additionally,  if 
the  item  does  not  accomplish  its  purpose,  this  may  mean  that  the  inspectors  should  adopt 
an  alternative  inspection  method. 

4.3.2  Excessive  Intrusiveness 

The  question  of  “excessive  intrusiveness”  is  a  vital  assessment  that  addresses  the 
potential  detriment  of  individual  inspection  items.  Intrusiveness  is  a  broad  term  that 
expresses  the  level  of  entry  into  the  diesel  required  by  a  particular  inspection.  Diesel 
experts  consider  inspection  items  intrusive  if  they  require  disassembly  of  several  parts  of 
the  diesel.  A  determination  of  excessive  intrusiveness  requires  the  diesel  engineer  to 
weigh  the  potential  benefits  and  detriments  of  each  item.  If  the  benefits  realized  by  the 
performance  of  an  inspection  do  not  outweigh  the  potential  downsides,  then  the  diesel 
engineer  considers  the  requirement  excessively  intrusive.  We  considered  inspection 
items  automatic  candidates  for  alteration  if  the  diesel  engineer  determined  the  items  to  be 
excessively  intrusive. 

Reduction  of  intrusiveness  benefits  the  hardware  of  the  diesel  in  several  ways. 
Every  time  a  diesel  worker  disassembles  a  part  of  the  diesel,  the  EDG  is  potentially 
exposed  to  warpage  and  the  introduction  of  moisture.  Both  of  these  phenomena  can 
cause  degradation  of  the  diesel  performanee  and  in  some  cases,  failure.  Intrusiveness 
additionally  exposes  the  diesel  to  the  introduction  of  errors  caused  by  human  action.  The 
diesel  inspectors  can  improperly  disassemble  or  reassemble  the  EDG.  Tools,  clothing,  or 
loose  diesel  parts  can  fall  inside  of  the  diesel.  Additionally,  diesel  operators  may 
misplace  parts  during  disassembly  which  can  potentially  delay  completion  of  the 
inspection. 

4.3.3  Item  Elimination 

Some  inspection  items  may  qualify  for  total  elimination  if  the  diesel  engineer 
considers  the  initial  purpose  of  the  requirement  uimecessary.  A  determination  of  total 
elimination  requires  the  diesel  engineer  to  assess  the  benefits  of  the  inspectimt  and  to 


30 


determine  if  the  information  gained  by  the  inspection  is  valuable  or  gives  unique 
information  about  the  status  of  the  diesel.  Unnecessary  inspection  items  consume  time 
and  resources  and  provide  an  additional  avenue  for  the  introduction  of  human  error. 

Total  elimination  can  apply  to  both  intrusive  and  non-intrusive  items. 

4.3.4  Monitoring  As  An  Alternative 

Engine  analysis  and  monitoring  can  replace  or  enhance  current  inspection 
requirements.  The  EDGs  at  MP-3  utilize  a  newly  installed  engine  analysis  system  called 
RECIPTRAP.  This  system  provides  a  copious  amount  of  information  to  the  operators  of 
the  diesel  and  has  proved  quite  valuable  since  its  installation.  The  MP-3  diesel  engineer 
stated  that  the  information  provided  by  this  system  could  adequately  replace  several  of 
the  current  inspection  items.  The  diesel  engineer  also  suggested  use  of  additional 
monitoring  devices  not  Currently  in  place  at  MP-3  that  could  adequately  replace  current 
inspection  items  [21]. 

4.3.5  Periodicity  Extension 

The  final  question  posed  to  the  diesel  engineer  was  that  of  the  periodicity 
extension  of  individual  items.  Periodicity  extension  refers  to  the  lengthening  of  the 
current  eighteen  month  time-base  of  the  ROI  for  specific  requirements.  This  would  apply 
to  items  that  the  diesel  engineer  feels  are  necessary  for  the  safe  operation  of  the  diesel  but 
the  inspection  requires  too  frequently.  The  diesel  engineer  often  recommended 
periodicity  extension  in  conjimction  with  engine  analysis. 

4.4  ROI  Recommendations 

Tables  4.1  -  4.3  display  the  diesel  engineer’s  expert  opinion  and  assessment  of 
each  inspection  item.  Each  table  represents  one  of  three  categories  of  alteration  that  MP- 
3  should  make  on  the  individual  inspection  items.  The  first  table  lists  those  inspection 
items  that  provide  net  benefits  to  the  diesel  in  their  present  manner.  The  diesel  engineer 
recommended  that  no  changes  be  made  to  these  items.  Table  4.2  contains  those 
inspection  items  that  the  diesel  engineer  feels  will  benefit  from  periodicity  extension. 
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The  final  table.  Table  4.3,  contains  inspection  requirements  that  the  engineer  feels  will 
benefit  from  replacement  with  monitoring  or  sensing  equipment. 

Each  of  the  three  tables  is  organized  in  an  identical  manner.  The  first  column  lists 
the  inspection  items  currently  required  by  Colt-Pielstick.  There  are  two  item  numbers 
missing  from  the  table.  The  numbering  of  the  items  begins  at  number  two  because  item 
one  refers  to  performance  of  regular  maintenance  required  of  the  diesel  operators  and  is 
not  an  actual  inspection  item.  Item  1 8  is  missing  from  the  table  because  the  manufacturer 
no  longer  requires  this  item  and  current  literature  does  not  contain  the  updated  numbering 
system.  Item  three  is  in  both  Tables  4.2  and  4.3  as  the  engineer  felt  that  it  could  benefit 
from  the  installation  of  sensing  equipment  as  well  as  periodicity  extension. 

The  second  column  of  each  table  contains  a  brief  description  or  commentary  on 
the  inspection  requirement.  In  some  cases,  this  commentary  describes  the  inspection 
process  if  it  is  unusual  or  xmclear.  In  other  cases,  the  commentary  sets  forth  the  objective 
of  a  particular  inspection  item. 

The  final  column  contains  the  recommendations  of  the  diesel  engineer.  After 
careful  consideration  of  the  six  questions  outlined  in  Section  4.3,  he  delivered  a 
coirunentary  that  outlines  problems  with  the  current  inspection.  This  column  contains  the 
engineer’s  proposed  solution  to  improve  the  inspection  item. 

The  diesel  engineer  recommended  that  eleven  of  the  nineteen  inspection  items 
remain  unaltered  (Table  4.1).  The  MP-3  engineer  noted  that  inspection  of  the  crankcase 
end  of  all  cylinder  liners  (Item  12)  is  an  item  that  provides  limited  knowledge  to  the 
inspectors.  He  did  not  recommend  the  item  for  alteration,  however,  because  of  the 
limited  resources  of  time  and  persoimel  required  to  perform  the  inspection.  The  diesel 
engineer  identified  two  items  of  the  nineteen  assessed  as  intrusive  inspections  that  MP-3 
should  not  alter  in  any  manner.  The  first  such  example  is  Item  13  which  requires 
checking  the  main  bearing  cap  tightness.  Despite  the  intrusive  nature  of  this  inspection,  it 
is  vital  to  ensure  that  caps  are  kept  tight  in  order  to  avoid  bearing  damage.  The  second 
inspection  is  Item  21  which  requires  a  static  test  of  the  overspeed  trip  mechanism. 
Although  the  static  test  is  intrusive,  it  has  no  adequate  replacement  and  should  continue 
as  part  of  the  ROI  in  its  original  form. 
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Item  # 
From 
Current 
ROl 

Checklist 

Current  Colt-Pielstick 
Requirement 

Description 

MP-3  Diesel  Engineer 
Recommendations 

5 

Drain,  flush  and  refill  outboard 
bearing  with  approved  oil. 

The  outboard  bearing  is  subjected  to  oil 
replacement  to  ensure  a  high  quality  and 
appropriate  level  of  oil  is  present  within 
the  equipment. 

No  change  recommended. 

6 

Check  tightness  on  all  foundation, 
block  to  base,  oil  and  water  line 
bolts. 

Bolt  checking  tasks  involve  verifying  that 
they  are  wrench  tight.  Properly  tightened 
bolts  prevent  leakage  and  insure  the 
integrity  of  the  diesel. 

No  change  recommended. 

7 

Check  sample  of  rocker  lube  oil 
for  condition  and  contaminants. 

A  comprehensive  assessment  of  oil  quality 
can  identify  numerous  problems  within 
the  EDO  including  water  leaks  and 
corrosion. 

No  change  recommended. 

8 

Check  turbocharger  inlet  casing 
and  turbo  casing  water  passages 
for  scale.  The  inside  surface  of 
these  casings  is  the  best  indication 
for  adequacy  of  water  treatment. 

Proper  water  treatment  is  essential  because 
it  protects  the  hardware  of  the  diesel  from 
corrosion. 

No  change  recommended. 

10 

Check  all  safety  and  shutdown 
controls  for  appropriate  pressures 
and  temperatures. 

Safety  systems  on  the  diesel  guarantee 
that  the  EDG  will  shut  down  if  it  is 
operating  in  a  dangerous  condition. 

No  change  recommended. 

12 

Inspect  the  crankcase  end  of  all 
cylinder  liners. 

This  inspection  is  performed  to  identify 
debris  that  has  entered  this  space. 

This  inspection  is  not 
intrusive  but  has  limited 
usefulness. 

13 

Check  main  bearing  cap  tightness 
(9950-1 100  psi  hydraulic)  and 
side  bolts  (hammer  tight). 
Alternately  confirm  cap  tightness 
to  frame  and  saddle  to  .0015  feeler 
gauge. 

The  consequence  of  loose  bolts  in  this 
area  can  be  serious.  The  bolts  are  checked 
for  proper  tightness  to  prevent  bearing 
damage. 

This  inspection  is 
intrusive  but  should  be 
performed. 

16 

1 

Check  connecting  rod  bearing 
clearances  with  feeler  gauge. 

This  check  determines  the  need  for 
bearing  replacement  and  is  now  performed 
visually. 

No  change  recommended. 

17 

Inspect  all  ledges  and  comers  in 
crankcase  for  debris  which  could 
indicate  other  mechanical 
problems.  Confirm  all  cotters, 
safety  wire  and  lock  tabs  are  in 
place. 

This  visual  inspection  identifies  debris 
that  may  cause  future  problems  within  the 
diesel. 

No  change  recommended. 

20 

Drain  and  refill  alternator  bearing 
lube  sump.  If  oil  has 
contaminants,  pull  bearing  cap 
and  inspect  journal. 

A  comprehensive  assessment  of  oil  quality 
can  identify  numerous  problems  within 
the  EDG  including  water  leaks  and 
corrosion. 

No  change  recommended. 

21 

Inspect  and  clean  (if  required) 
overspeed  trip  mechanism.  Check 
operation  according  to  overspeed 
trip  test  instructions. 

This  inspection  is  a  static  test  that  ensures 
the  trip  mechanism  moves  smoothly.  This 
equipment  performs  an  important  safety 
role  within  the  diesel. 

This  inspection  is 
intrusive  but  beneficial 
and  should  not  be  altered. 

Table  4.1  Refueling  Outage  Inspection  Items  Not  Recommended  for  Alteration 


33 


Item  # 
From 
Current 
ROI 

Checklist 

Current  Colt-Pielstick 
Requirement 

Description 

MP-3  Diesel  Engineer 
Recommendations 

3* 

Remove,  disassemble,  clean 
and  repair  all  air  start  valves 
and  air  start  distributors. 
Clean/replace  air  start 
distributor  filter. 

Engine  starting  is 
accomplished  by  the  action  of 
compressed  air  on  the 
cylinders  in  their  proper  firing 
order.  All  valves  and 
distributors  must  be 
completely  disassembled  and 
cleaned. 

Short  runs  of  the  EDG  tend  to 
leave  “gunk”  which  this 
inspection  reveals.  However, 
problems  in  this  area  can  be 
revealed  with  the  aid  of 
temperature  sensors  on  the  air 
supplv  line.  A  periodicitv 
extension  to  once  every  other 
refuel  would  be  beneficial. 

4 

Drain  and  refill  governor  and 
turbochargers  with  approved 
oil. 

The  governor  and 
turbochargers  are  subject  to 
oil  replacement  in  order  to 
ensure  a  high  quality  and 
appropriate  level  of  oil  is 
present  within  the  equipment. 
Oil  lubrication  is  an  essential 
part  of  a  comprehensive 
maintenance  plan. 

This  practice  is  not  intrusive  or 
time  consuming  but  does 
provide  an  opportunity  for 
human  error.  Periodicity 
extension  would  be  beneficial 
here. 

14 

Visually  examine  gear  train 
and  drives,  cam  shafts  and 
bearings,  push  rods  and 
rocker  arms. 

A  visual  check  of  these  areas 
allows  for  the  identification  of 
excessive  wear  or  damage. 

The  bearing  check  is  an 
intrusive  process.  The 
periodicitv  should  be  extended 
to  every  other  refuel. 

Table  4.2  Refueling  Outage  Inspection  Items  Recommended  for  Periodicity  Extension 
(♦Item  3  also  appears  in  Table  4.3  as  it  benefits  from  both  periodicity  extension  and  installation  of  sensing 
equipment.) 

Table  4.2  lists  the  three  items  that  the  MP-3  diesel  engineer  identified  as 
benefiting  from  periodicity  extension.  These  are  items  where  the  engineer  judges  that  the 
current  ROI  requires  being  performed  too  frequently  --  to  the  detriment  of  the  diesel 
itself  Item  three  requires  the  inspector  to  disassemble  and  clean  all  of  the  air  start  valves. 
Although  this  type  of  inspection  can  reveal  problems  with  the  valves,  engine  analysis  can 
also  reveal  this  information  without  the  intrusiveness  of  disassembly.  However,  periodic 
cleaning  of  the  air  start  valves  is  still  beneficial  and  the  new  inspection  should  require 
cleaning  every  other  refueling  outage  as  a  maintenance  procedure. 

Item  four  requires  the  inspection  team  to  drain  and  refill  the  governor  and 
turbocharger  oil.  Although  changing  oil  is  a  good  maintenance  practice,  the  small 


34 


number  of  hours  that  the  diesel  operates  does  not  justify  changing  the  oil  every  refueling 
outage.  The  diesel  engineer  judged  that  extension  of  the  oil  change  to  once  every  other 
refueling  outage  will  not  noticeably  degrade  the  oil  quality. 

Historically,  the  visual  inspection  of  the  camshaft  bearings  has  found  scoring  on 
only  one  occasion.  Further  investigation  has  determined  that  this  scoring  occurred  during 
the  original  startup  of  the  diesel.  Subsequent  inspections  have  found  no  problems  and  the 
diesel  engineer  recommended  that  this  inspection  be  performed  only  once  every  other 
refueling  outage. 

It  is  important  to  note  that  periodicity  extension  does  not  necessarily  mean  that 
MP-3  should  only  perform  an  individual  item  every  other  refueling  outage.  In  some 
cases,  the  inspection  team  can  split  a  task  between  two  refueling  outages.  For  example, 
the  team  can  inspect  half  of  the  air  start  valves  during  one  refueling  outage  leaving  the 
other  half  for  inspection  during  the  next  ROI.  This  practice  promotes  continuity  and 
standardization  between  subsequent  ROIs  and  allows  the  operator  performing  the 
inspection  to  be  more  familiar  with  the  mechanics  of  disassembly. 

MP-3  has  implemented  several  monitoring  and  trending  programs  since  the 
diesels  were  first  operated.  Monthly  lubrication  oil  analyses,  start  time  trending,  and 
cylinder  temperature  trending  all  provide  alternate,  indirect  methods  for  determining  the 
existance  of  possible  engine  problems.  The  diesel  engineer  expressed  the  importance  of 
parallel  execution  of  all  of  these  programs  that  in  many  cases  provide  more  information 
about  the  status  of  the  diesel  than  visual  or  disassembly  inspections.  Lubrication  oil 
analyses  is  especially  important  because  it  can  reveal  internal  engine  water  leaks  and  can 
even  identify  excessive  parts  wear  or  bearing  problems  if  analysis  detects  metal  particles 
in  the  sampled  oil. 

Table  4.3  summarizes  the  alterations  that  the  diesel  engineer  judges  are  justified 
with  the  use  of  current  monitoring  and  trending  programs  that  are  currently  available  to 
diesel  operators.  MP-3  already  utilizes  several  of  these  programs  and  the  diesel  engineer 
hopes  to  implement  others  in  the  future.  Two  benefits  realized  through  use  of  monitoring 
and  sensing  equipment  are  the  reduction  in  the  number  of  intrusive  practices  and  the 
reduction  in  the  numbers  of  avenues  for  human  error  [21]. 
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Item  # 
From 
Current 
ROI 

Checklist 

Current  Colt-Pielstick 
Requirement 

Description 

MP-3  Diesel  Engineer 
Recommendations 

2 

Remove  and  check  injection 
nozzles  for  operation  and 
opening  pressure. 

Injection  nozzles  spray  fuel  into 
the  cylinder.  The  nozzles  are 
subjected  to  a  static  test  which 
assesses  their  spray  pattern  and 
opening  pressure.  Failure  of  the 
injection  nozzle  or  pump  will 
result  in  an  increased  loading  on 
the  other  pistons  to  maintain 
engine  power  output. 

The  Static  test  currently  performed  is 
not  an  accurate  simulation  of  actual 
run  conditions.  Engine  analysis 
would  be  more  beneficial  especially 
since  this  is  and  extremely  intrusive 
practice.  Also,  there  is  evidence 
that  the  engine  is  not  sensitive  to 
minor  failures  of  the  injectors. 

3* 

Remove,  disassemble,  clean  and 
repair  all  air  start  valves  and  air 
start  distributors.  Clean/replace 
air  start  distributor  filter. 

Engine  starting  is  accomplished 
by  the  action  of  compressed  air  on 
the  cylinders  in  their  proper  firing 
order.  All  valves  and  distributors 
must  be  completely  disassembled 
and  cleaned. 

Short  runs  of  the  EDG  tend  to  leave 
“gunk”  which  this  inspection 
reveals.  However,  problems  in  this 
area  can  be  revealed  with  the  aid  of 
temperature  sensors  on  the  air 
supply  line.  A  periodicity  extension 
to  once  every  other  refuel  would  be 
beneficial. 

9 

Check  for  tightness  of  exhaust 
manifold  flange  bolts  to  cylinder 
head  (165-195  ft.lbs). 

Proper  tightness  of  bolts  insures 
that  significant  exhaust  leakage 
does  not  occur. 

This  practice  is  time  consuming  and 
could  be  replaced  with  exhaust 
leakage  monitoring. 

11 

Borescope  all  cylinder  liners. 

Borescoping  of  the  cylinder  liners 
involves  inserting  a  viewing 
device  into  the  individual 
cylinders.  The  borescope  allows 
the  inspector  to  identify  areas  of 
excessive  wear. 

This  practice  is  unnecessary  and 
extremely  intrusive.  No  problems 
have  been  identified  in  the  MP-3 
diesels  with  this  method  and  the 
liners  always  look  brand  new. 

Eneine  and  oil  analysis  as  well  as 
monitorine  of  the  firine  pressure 
would  reveal  the  problems  this  test 
was  designed  to  identify. 

15 

Check  crankshaft  alignment  and 
bearing  clearances. 

This  test  provides  information 
about  bearing  condition  and 
alignment  of  the  crankshaft. 

Proper  alignment  is  essential  for 
operation  of  the  diesel. 

Web  deflection  is  very  intrusive  and 
difficult  to  perform.  It  has  never 
revealed  problems  at  MP-3. 

Vibration  analysis  and  oil  analysis 
would  both  reveal  any  problems. 

19 

Check  alternator  coils  and  poles 
for  indication  of  movement 
(visual). 

This  inspection  reveals  problems 
caused  by  arcing  within  the  diesel. 

This  inspection  is  not  intrusive  to 
the  internals  of  the  diesel  but 
requires  a  great  deal  of  outer 
disassembly  to  access  the  area.  This 
practice  is  very  time  consuming  and 
could  be  replaced  with  resistance 
monitorine. 

Table  4.3  Refueling  Outage  Inspection  Items  Recommended  for  Replacement  with 
Engine  Analysis,  Monitoring,  or  Sensing  Activities  (*Item  3  also  appears  in  Table  4.2  as  it 
benefits  from  both  periodicity  extension  and  installation  of  sensing  equipment.) 


Monitoring  and  sensing  techniques  have  some  disadvantages  and  costs. 
Introduction  of  new  equipment  into  the  system  requires  retraining  of  the  operators.  For 
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example,  proper  and  rigorous  training  of  diesel  operators  is  necessary  before  MP-3 
implements  the  new  equipment.  Also,  the  equipment  itself  may  malfunction  and  provide 
incorrect  readings.  In  order  to  combat  malfunctioning  sensors,  the  diesel  operators  must 
install  multiple  apparati  in  order  to  provide  redundant,  and  therefore  more  reliable, 
readings  [3]. 

4.4.1  ROI  Recommendations  Summary 

The  MP-3  diesel  engineer  is  very  familiar  with  the  operational  history  of  the  two 
EDGs  in  question.  His  recommendations  are  based  on  extensive  experience  and  first¬ 
hand  application  of  the  Colt-Pielstick  requirements.  The  ROI  alterations  listed  in  Tables 
4.2  and  4.3  drastically  reduce  the  intrusiveness  of  the  current  overhaul  and  place 
increased  reliance  on  monitoring  and  sensing  equipment. 

4.5  Recommendation  Comparison 

In  order  to  assess  the  value  of  the  recommendations  made  by  the  MP-3  diesel 
engineer,  we  solicited  additional  opinions  from  sources  within  the  nuclear  industry.  The 
first  set  of  opinions  comes  from  the  diesel  engineer  at  Millstone  2  (MP-2)  [23].  His 
opinions  concerning  the  individual  inspection  items  closely  agree  with  those  made  by  the 
MP-3  diesel  engineer.  We  also  reviewed  a  second  set  of  recommendations  for  ROI 
changes  from  the  EDG  Owners'  Group  and  discovered  several  similarities  with  the 
proposed  alterations  [24]. 

4.5.1  MP-2  Diesel  Engineer 

We  obtained  an  additional  expert  opinion  concerning  the  Colt-Pielstick  ROI  from 
the  diesel  engineer  at  MP-2  in  an  effort  to  assess  the  consistency  of  the  recommendations 
made  by  the  MP-3  engineer.  The  MP-2  diesel  engineer  has  extensive  EDG  experience 
and  fills  the  same  position  as  the  MP-3  engineer  on  the  ROI  team.  We  selected  him  for 
his  expertise  and  because  he  oversees  the  MP-2  diesels  in  a  similar  management  and 
operational  environment  as  that  of  MP-3.  Additionally,  the  diesel  operators  and  laborers 
utilized  during  the  ROI  activities  in  MP-2  are  trained  similarly  to  those  working  in  MP-3. 
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Although  Colt-Pielstick  manufactures  the  diesels  utilized  in  MP-2,  the  EDGs  are 
opposed  piston  diesels,  which  make  them  fundamentally  different  from  those  utilized  in 
MP-3.  This  structural  difference  results  in  a  distinct  set  of  ROI  requirements  that  are 
difficult  to  compare  to  the  MP-3  requirements.  We  therefore  asked  the  MP-2  diesel 
engineer  to  review  the  MP-3  requirements  and  give  his  opinion  on  the  inspection  items 
based  on  his  general  diesel  expertise.  Using  the  same  six  questions  as  a  guide,  the  MP-2 
diesel  engineer  proposed  the  recommendations  foimd  in  Table  4.4. 


Item  # 
From 
Current 
ROI 

Checklist 

Current  Colt-Pielstick  Requirement 

MP-2  Diesel  Engineer 
Recommendation 

2 

Remove  and  check  injection  nozzles  for 
operation  and  opening  pressure. 

One  fourth  of  the  injectors  usually  fail  the 
“pop”  test.  However,  the  engine  does  not 
appear  to  be  sensitive  to  these  failures.  Beta 
RECIPTRAP  vibration  readings  may  be  a  more 
beneficial  test. 

3 

Remove,  disassemble,  clean  and  repair  all  air  ... 
start  valves  and  air  start  distributors. 
Clean/replace  air  start  distributor  filter.  ^ , 

The  periodicity  of  this  inspection  should  be 
changed  to  36-48  months. 

4 

Drain  and  refill  governor  rad  turbochargers 
with  approved  oil. 

The  governor  oil  should  be  replaced  every  36- 
48  months. 

10 

Check  all  safety  and  shutdown  controls  for 
appropriate  pressures  and  temperatures. 

Recommend  periodicity  change  to  36  or  48 
months. 

11 

Borescope  all  cylinder  liners. 

No  change.  Beta  RECIPTRAP  may  reveal 
problems  with  liners. 

15 

Check  crankshaft  alignment  rad  bearing 
clearances. 

Recommend  extension  of  periodicity  to  36 
months. 

19 

Check  alternator  coils  rad  poles  for  indication 
of  movement  (visual). 

Opposed  piston  diesels  do  not  have  an  access 
problem  but  other  diesels  may  experience 
difficulty. 

21 

Inspect  and  clean  (if  required)  overspeed  trip 
mechanism.  Check  operation  according  to 
overspeed  trip  test  instructions. 

Periodicity  should  be  extended. 

Table  4.4  MP-2  Diesel  Engineer  Recommendations  for  EDO  Refueling  Outage  Inspection  Changes 
[Shaded  items  indicate  agreement  with  recommendations  made  by  the  MP-3  diesel  engineer] 

The  MP-2  diesel  engineer  identified  eight  inspection  items  that  he  judged  would 
benefit  from  alteration.  This  number  is  identical  to  that  identified  by  the  MP-3  diesel 
engineer.  The  six  shaded  items  in  Table  4.4  are  requirements  that  both  of  the  diesel 
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engineers  identified  as  candidates  for  alteration.  The  recommendations  for  these  six 
items  are  not  exactly  the  same  but  have  a  similar  nature.  The  alterations  suggested  by  the 
MP-2  engineer  consisted  mostly  of  recommendations  for  periodicity  extension.  This 
contrasts  with  the  MP-3’s  alterations  which  relied  more  heavily  on  engine  analysis  and 
monitoring. 

The  MP-2  diesel  engineer  was  quick  to  mention  that  the  diesels  at  MP-2  were  not 
as  rigorously  monitored  as  those  in  MP-3.  This  may  accovmt  for  the  lack  of  engine 
analysis  replacement  in  his  recommendations.  The  MP-2  diesel  engineer  did,  however, 
attempt  to  note  items  that  he  judged  could  be  replaced  by  engine  analysis.  For  example, 
he  listed  the  borescoping  required  by  Item  1 1  as  a  possible  candidate  for  replacement  by 
engine  analysis. 

The  MP-2  diesel  engineer  judged  that  the  current  Colt-Pielstick  requirements 
subjected  the  diesels  to  uimecessary  intrusiveness  that  alteration  of  the  ROI  would 
reduce.  He  also  agreed  that  the  recommendations  made  by  the  MP-3  diesel  engineer  were 
appropriate  for  the  MP-3  diesels. 

4.5.2  Fairbanks  Morse  Owners’  Group 

MP-3  is  a  member  of  the  Fairbanks  Morse  Owners’  Group  (FMOG),  an 
organization  of  utilities  that  utilize  Colt-Pielstick  diesels  (Fairbanks  Morse  manufactures 
Colt-Pielstick  diesels).  FMOG  recently  released  a  set  of  proposed  changes  to  the  ROI 
requirements  [24].  These  will  soon  be  presented  to  Colt-Pielstick  for  adoption.  The 
recommendations  made  in  this  document  are  confidential  at  this  time  but  they  agree 
closely  with  the  recommendations  made  by  the  MP-3  diesel  engineer.  This  is  not 
surprising  as  the  MP-3  diesel  engineer  assisted  to  a  limited  extent  in  the  preparation  of 
these  recommendations. 

4.5.3  Summary 

Comparison  of  the  recommendations  of  the  MP-2  diesel  engineer  and  the  FMOG 
to  the  ROI  alterations  proposed  by  the  MP-3  diesel  engineer  reveals  that  all  agree  that 
MP-3  should  alter  its  inspection  requirements.  The  MP-2  diesel  engineer  and  the 
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Owners'  Group  both  recommend  a  majority  of  the  items  recommended  for  alteration  by 
the  MP-3  engineer.  This  demonstrates  that  the  MP-3  engineer’s  recommendations  are 
valid  alterations  which  address  inspection  items  that  contradict  fundamental  engineering 
practices. 

The  MP-3  diesel  engineer’s  familiarity  with  the  operational  history  of  the  MP-3 
diesels  may  account  for  recommendations  for  specific  item  alterations  that  the  MP-2 
engineer  and  FMOG  did  not  recommend.  For  example,  the  MP-3  engineer  recommended 
an  increase  in  the  periodicity  of  camshaft  bearing  inspections  that  the  MP-2  diesel 
engineer  did  not  suggest.  The  MP-3  diesel  engineer  based  this  recommendation  upon  the 
operational  history  of  the  EDGs  in  MP-3  with  which  the  MP-2  diesel  engineer  is  not 
familiar. 

We  henceforth  treat  the  MP-3  diesel  engineer’s  ROI  alterations  as  constituting  a 
reference  set  of  recommendations,  based  upon  sound  engineering  principles  that  increase 
the  reliability  of  the  diesels. 

4.6  Conclusion 

The  MP-3  diesel  engineer  has  a  comprehensive  and  extensive  knowledge  of  the 
EDGs  at  MP-3.  His  recommendations  for  the  ROI  fell  into  one  of  three  categories:  1) 

No  change,  2)periodicity  extension,  or  3)engine  analysis,  monitoring,  or  sensing 
replacement.  Of  the  nineteen  items  currently  required  by  Colt-Pielstick,  the  MP-3 
engineer  recommended  the  alteration  of  eight  of  them.  Comparison  of  additional  expert 
opinion  recommendations  to  those  made  by  the  MP-3  engineer  revealed  agreement  with 
his  alterations.  The  ROI  resulting  from  his  recommendations  is  a  streamlined  inspection 
set  that  is  much  less  intrusive  into  the  diesel  and  relies  heavily  upon  engine  analysis, 
monitoring  and  sensing  for  indication  of  EDG  degradation.  We  utilize  the  improved 
refueling  outage  inspection  (IROI),  summarized  in  Table  4.5,  throughout  this  work  as  a 
model  for  diesel  reliability  improvement. 
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IROI 
Item  # 

IROI  Requirement 

1 

Remove,  disassemble,  clean  and  repair  half  of  all  air  start  valves  and  air  start  distributors. 
Clean/replace  associated  air  start  distributor  filter. 

2 

Drain  and  refill  governor  and  turbochargers  with  approved  oil  every  other  refuel. 

3 

Drain,  flush  and  refill  outboard  bearing  with  approved  oil. 

4 

Check  tightness  on  all  foundation,  block  to  base,  oil  and  water  line  bolts. 

5 

Check  sample  of  rocker  lube  oil  for  condition  and  contaminants. 

6 

Check  turbocharger  inlet  casing  and  turbo  casing  water  passages  for  scale.  The  inside 
surface  of  these  casings  is  the  best  indication  for  adequacy  of  water  treatment. 

7 

Check  all  safety  and  shutdown  controls  for  appropriate  pressures  and  temperatures. 

8 

Inspect  the  crankcase  end  of  all  cylinder  liners. 

9 

Check  main  bearing  cap  tightness  (9950-1 100  psi  hydraulic)  and  side  bolts  (hammer  tight). 
Alternately  confirm  cap  tightness  to  frame  and  saddle  to  .0015  feeler  gauge. 

10 

Visually  examine  gear  train  and  drives,  cam  shafts,  push  rods  and  rocker  arms.  Visually 
examine  camshaft  bearing  every  other  refuel. 

11 

Visually  check  connecting  rod  bearing  clearances. 

12 

Inspect  all  ledges  and  comers  in  crankcase  for  debris  which  could  indicate  other  mechanical 
problems.  Confirm  all  cotters,  safety  wire  and  lock  tabs  are  in  place. 

13 

Drain  and  refill  alternator  bearing  lube  sump.  If  oil  has  contaminants,  pull  bearing  cap  and 
inspect  journal. 

14 

Inspect  and  clean  (if  required)  overspeed  trip  mechanism.  Check  operation  according  to 
overspeed  trip  test  instructions. 

Table  4.5  Final  Set  of  Improved  Refueling  Outage  Inspection  (IROI)  Requirements 
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Chapter  5  --  Non-Nuclear  Power  Industry  EDG  Standards  and 
Requirements 


5.1  Introduction 

The  nuclear  power  industry  is  not  the  sole  operator  of  diesel  engines  for 
emergency  or  standby  use.  Diesels  are  used  for  emergency  backup  power  throughout  the 
country  in  hospitals,  laboratories  and  buildings  where  elevator  use  is  critical.  The  Federal 
Aviation  Administration  maintains  EDGs  at  its  air  traffic  control  centers  in  order  to 
provide  backup  power  for  vital  equipment  in  case  of  a  loss  of  offsite  power.  The  US 
Navy  uses  EDGs  onboard  nuclear  surface  ships  and  submarines  in  order  to  provide  power 
to  safety  systems  if  the  reactor  is  shut  down.  All  of  these  applications  rely  upon  the  EDG 
in  some  way  to  prevent  the  loss  of  human  life  or  property  making  their  reliable  operation 
critical. 

Although  EDG  experts  within  the  nuclear  power  industry  agreed  that  the  ROI 
requirements  are  intrusive  and  performed  too  frequently,  they  generally  had  little 
knowledge  of  how  these  requirements  compared  to  EDG  practices  outside  the  nuclear 
power  industry.  A  survey  of  experts  in  the  US  Navy,  the  FAA  and  non-nuclear  industries 
revealed  that  they  generally  agreed  with  the  assessment  of  the  nuclear  EDG  experts.  The 
EDGs  in  these  various  industries  undergo  overhaul  rarely,  if  ever.  A  line  by  line 
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comparison  of  the  eighteen  month  inspection  requirements  for  the  nuclear  power 
industry,  the  FAA,  and  the  US  Navy  reveals  that  the  nuclear  power  inspection  is  much 
more  rigorous  and  intrusive  to  the  diesel  than  inspections  required  by  the  others. 

Despite  less-rigorous  and  intrusive  inspections,  the  other  groups  using  EDGs 
appear  to  be  quite  satisfied  with  the  performance  and  reliability  of  their  respective  diesels. 
This  knowledge,  in  conjunction  with  the  line-by-line  ROI  comparison,  supports  the 
nuclear  power  industry  expert  opinion  that  the  EDGs  willl  benefit  fi-om  alteration  of  the 
intrusive  inpections. 

5.2  US  Hospitals 

A  loss  of  commercial  power  in  a  hospital  can  be  disastrous  for  patients  depending 
upon  electrically  powered  life-sustaining  equipment.  Emergency  diesel  generators 
literally  become  a  lifeline  for  these  people  during  a  power  outage.  For  this  reason,  the 
EDGs  used  in  hospitals  are  governed  by  numerous  safety  codes  which  set  forth 
maintenance  and  testing  requirements  designed  to  keep  the  diesel  operating  at  a  high 
level  of  reliability  [25]. 

Maintenance  engineers  in  two  Boston  area  hospitals  answered  questions 
concerning  the  diesels  that  they  supervised  [26, 27].  Both  engineers  have  extensive 
experience  with  the  diesels  in  their  care  and  are  familiar  with  the  operational  history  of 
each  of  the  diesels.  The  EDGs  used  in  these  hospitals  are  manufactured  by  various 
vendors  and  vary  greatly  in  age  and  load  capacity.  The  operators  of  these  diesels, 
however,  subject  all  of  the  diesels  to  the  same  testing  and  maintenance  requirements. 

Hospital  employees  perform  most  of  the  maintenance  and  testing  on  their  diesels 
although  each  of  the  hospitals  also  hires  a  certified  generator  maintenance  contractor  to 
fialfill  periodic  additional  maintenance  needs.  The  contractor  only  performs  an  overhaul 
on  these  diesels  when  testing  or  routine  maintenance  reveals  a  problem.  One  of  the 
maintenance  engineers  recalled  only  one  overhaul  taking  place  at  his  hospital  over  a 
period  of  twenty-two  years.  That  particular  diesel  needed  an  overhaul  as  a  result  of 
numerous  instances  of  unloaded  operation. 
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When  asked  about  the  source  for  the  diesel  testing  and  maintenance  requirements, 
both  engineers  stated  that  they  have  some  freedom  to  set  their  own  requirements. 
However,  both  stated  that  they  understand  the  minimum  standards  to  which  they  must 
adhere  are  set  by  the  Joint  Commission  on  Accreditation  of  Healthcare  Organizations 
(JCAHO). 

5.2.1  Code  Requirements 

An  investigation  of  the  JCAHO  requirements  for  testing  and  maintenance  of 
EDGs  revealed  that  this  organization  is  one  of  three  groups  that  dictate  guidelines  for  safe 
operation  of  emergency  diesel  generators  in  hospitals.  These  three  groups  provide  fairly 
consistent  requirements  that  they  encourage  but  do  not  require  each  hospital  to  adopt. 

5.2.1.1  The  JCAHO 

The  JCAHO  is  a  national  accreditation  organization  whose  mission  is  to  improve 
the  quality  of  care  provided  to  the  public.  Hospitals  seek  accreditation  from  this 
organization  in  order  to  prove  to  the  public,  insurance  companies,  and  others  that  it 
adheres  to  a  set  of  standards  recognized  as  those  belonging  to  a  quality  healthcare 
organization.  The  JCAHO  standards  focus  mainly  on  EDG  testing  and  leave 
maintenance  plans  to  the  individual  hospital  [25]. 

5.2.1.2  The  National  Fire  Prevention  Association 

The  National  Fire  Prevention  Association  (NFPA)  is  also  a  voluntary,  non¬ 
governmental  association  dedicated  to  fire  safety  and  related  hazards.  The  NFPA  has 
established  two  codes  that  affect  the  operation  of  EDGs  in  hospitals.  The  first  code  deals 
specifically  with  healthcare  facilities  while  the  other  is  a  general  standard  for  emergency 
and  standby  power  systems.  Testing  requirements  set  forth  by  these  codes  are  very 
similar  to  those  required  by  the  JCAHO.  The  NFPA  also  stresses  the  importance  of 
development  of  a  preventive  maintenance  program  and  publishes  a  set  of  comprehensive 
periodic  maintenance  items  that  it  recommends  for  the  safe  operation  of  EDGs  [28]. 
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5.2.1.3  The  National  Electrical  Code 

The  final  source  of  requirements  for  EDGs  in  hospitals  is  the  National  Electrical 
Code  (NEC).  The  guidelines  and  testing  set  forth  by  the  NEC  are  extremely  general  and 
compliance  with  the  JCAHO  and  NFPA  requirements  ensure  compliance  with  NEC 
standards  [25]. 

5.2.2  Code  Requirement  Compliance 

None  of  the  organizations  listed  in  Section  5.2.1  enforce  the  standards  that  they 
propose  for  safe  operation  of  EDGs.  Compliance  by  the  individual  hospital  is  voluntary 
although  some  states  require  accreditation  for  fulfillment  of  licensing  requirements. 

Also,  a  satisfactory  accreditation  status  of  a  hospital  may  favorably  influence  the  liability 
insurance  premiums  of  the  hospital  [29].  In  diis  respect,  hospitals  abide  by  JCAHO 
standards  because  of  economic  motivation.  We  observe  it  is  also  reasonable  to  assume 
that  hospitals  comply  with  JCAHO  and  NFPA  standards  out  of  a  moral  obligation  to 
preserve  human  life. 

5.2.3  Hospital  EDG  Summary 

Although  EDG  testing  and  maintenance  requirements  are  not  as  strenuous  as 
those  required  in  nuclear  power  plants,  engineers  that  oversee  the  hospital  diesels  judge 
that  their  generators  perform  at  a  high  level  of  reliability  even  though  they  typically 
cannot  quantify  its  value.  Hospitals  rarely,  if  ever,  perform  overhauls  on  their  diesels. 
Although  the  JCAHO,  the  NFPA,  and  the  NEC  do  not  rigorously  enforce  their  standards, 
they  do  provide  a  standard  guideline  for  all  diesel  engineers  to  adhere  to  regardless  of 
diesel  manufacturer  or  diesel  size.  Individual  maintenance  plans  and  overhaul  schedules 
are  left  to  the  discretion  of  the  diesel  engineer  charged  with  the  direct  oversight  of  the 
individual  EDGs. 

5.3  The  Federal  Aviation  Administration 

The  Federal  Aviation  Administration  (FAA)  is  the  federal  agency  charged  with 
oversight  of  alt  civilian  air  travel,  both  public  and  private,  in  the  United  States.  Operating 
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under  the  Department  of  Transportation,  the  FAA’s  primary  mission  is  to  establish  and 
enforce  standards  that  ensure  safe  operation  of  all  aspects  of  the  aviation  system. 
Emergency  diesel  generators  operated  by  the  FAA  contribute  to  the  safe  operation  of  the 
National  Airspace  System  [30]. 

Facilities  that  must  maintain  aids  to  air  navigation  and  traffic  control  utilize  EDGs 
at  all  times  and  under  a  variety  of  conditions.  If  a  control  site  loses  offsite  commercial 
power,  EDGs  and  emergency  batteries  are  the  only  defense  against  failure  of  the  facility. 
If  a  facility  fails  to  operate,  air  traffic  in  that  area  will  slow  considerably  as  control  is 
passed  to  adjacent  centers.  This  situation  took  place  on  December  18,  1997  at  a  control 
center  in  Kansas  City  when  a  worker  inadvertantly  shut  down  both  halves  of  the  redudant 
primary  power  circuit  system  while  performing  routine  maintenance.  Although  the 
EDGs  were  operational,  the  nature  of  the  human  error  prevented  both  the  diesels  and  the 
batteries  from  providing  power  to  the  control  station  [31].  This  type  of  failure  results  in 
inconvenience  for  air  travelers  and  a  loss  of  revenue  for  the  airlines.  A  more  drastic 
consequence  of  a  failed  facility  is  the  possibility  of  an  air  crash  due  to  loss  of  approach 
radar  or  commvmications.  Thus,  high  reliability  and  safe  operation  of  the  EDGs  are 
paramount  to  the  FAA  [32]. 

5.3.1  General  Description 

The  FAA  owns,  operates  and  maintains  approximately  3000  standby  generators  in 
the  US.  A  majority  of  the  generators  operated  by  the  FAA  are  diesel  powered  and  range 
in  size  from  1.5kW  to  more  than  550kW.  Most  of  these  imits  have  a  fully  automatic  start 
system  designed  to  assume  the  facility  load  if  interruption  of  the  prime  offsite  power 
occurs.  The  FAA  utilizes  continuous  monitoring  of  operating  EDGs  to  assess  the  engine 
for  dangerous  overspeed,  excessive  load,  high  temperature  and  low  oil  pressure. 

Readings  outside  of  the  allowed  tolerances  set  for  these  parameters  will  automatically 
shut  down  the  diesel  [30]. 
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5.3.2  Maintenance  Requirements 

Maintenance  guidelines  and  requirements  for  the  diesels  operated  by  the  FAA  are 
set  forth  in  Order  6980.1 IB:  Maintenance  of  Engine  Generators  [30].  This  order  is  a 
comprehensive  guideline  that  outlines  procedures  for  proper  maintenance  and  inspection 
of  all  engine  generators  utilized  by  the  FAA.  The  order  contains  detailed  diesel  generator 
information  as  well  as  a  section  tailored  specifically  for  diesels  in  standby  operation. 

An  initial  review  of  the  maintenance  requirements  detailed  in  this  order  reveals 
what  appears  to  be  an  enormous  number  of  required  action  items.  However,  many  of 
these  items  are  testing  requirements  which  we  eliminated  for  comparison  purposes.  The 
remaining  items,  while  thorough,  are  liberally  peppered  with  visual  checks  and 
maintenance  items  that  should  be  performed  “if  required.” 

One  notable  maintenance  requirement  that  fits  into  the  “if  required”  category  is 
the  overhaul  of  EDGs  and  other  diesels  operated  by  the  FAA.  Item  204,  which  outlines 
this  requirement  reads  as  follows: 

204.  ENGINE  OVERHAUL.  Check  to  determine  need  for  overhaul  of 

engine,  accessories,  and  turbocharger.  Overhaul  if  required  [30]. 

The  FAA  does  not  determine  this  need  for  an  overhaul  at  a  pre-determined  interval. 
However,  they  do  require  that  a  qualified  technician  make  this  assessment  and 
subsequently  determine  the  depth  of  a  particular  needed  overhaul.  The  author  of  Order 
6980.1  IB  stated  that  while  FAA  diesels  sometimes  require  major  maintenance,  overhauls 
are  infrequently,  if  ever  performed.  He  stated  that  proper  maintenance  of  the  diesels 
ensures  that  by  the  time  FAA  diesels  qualify  for  an  overhaul,  the  age  of  the  diesel  usually 
justifies  replacement  of  the  entire  diesel  [32]. 

5.3.3  Enforcement  of  Standards 

The  FAA  is  in  a  unique  situation  in  that  it  sets  its  own  standards,  implements 
those  standards,  and  then  enforces  those  standards  upon  itself  In  order  to  combat  a 
possible  conflict  of  interest,  the  FAA  periodically  dispatches  technical  evaluators  to  their 
facilities  to  gauge  the  level  of  compliance  of  individual  facilities  with  FAA  requirements. 
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One  such  technical  evaluator  stressed  that  although  this  program  provides  a  certain  level 
of  enforcement,  its  main  purpose  is  to  improve  the  overall  performance  of  the  diesels. 

The  FAA  technical  evaluator  also  observed  that  the  FAA’s  inherent  ownership  of 
its  diesels  is  a  different  relationship  from  that  of  the  NRC  and  the  utility  EDGs.  While 
the  FAA  regulates  and  enforces  its  rules  upon  itself,  the  NRC  regulates  and  enforces 
standards  upon  the  utilities  which  are  independent,  separate  entities.  The  technical 
evaluator  judged  that  this  difference  may  account  for  the  FAA’s  more  liberal  approach  to 
the  frequency  of  diesel  overhauls  [33].  In  other  words,  since  the  FAA  has  direct 
oversight,  it  can  better  judge  the  specific  maintenance  needs  of  its  diesels.  By  contrast, 
the  NRC  may  have  extremely  stringent  rules  in  order  to  compensate  for  utilities  with 
relatively  lax  standards. 

Although  the  FAA  and  nuclear  utility  EDGs  are  regulated  in  contrasting  ways,  the 
end  relationship  is  not  profoundly  different.  In  both  cases,  the  FAA  and  the  individual 
utilities  both  have  an  inherent  interest  in  the  good  performance  of  their  diesels  regardless 
of  the  method  of  regulation.  Therefore  a  more  liberal  EDG  overhaul  frequency  may  be 
appropriate  for  individual  utilities. 

5.3.4  FAA  EDG  Summary 

The  FAA  demands  adherence  to  a  specific,  general  set  of  EDG  periodic 
maintenance  requirements  regardless  of  the  individual  manufacturer  of  the  diesel.  These 
general  maintenance  requirements  consist  mainly  of  visual  checks  and  maintenance  that 
diesel  operators  should  perform  if  they  identify  a  need  to  do  so.  The  FAA  performs 
overhauls  rarely,  if  ever.  Despite  this  apparently  liberal  approach  to  diesel  maintenance, 
FAA  diesel  generator  experts  feel  that  the  performance  and  reliability  of  these  diesels  are 
acceptable.  Unfortunately,  the  FAA  has  conducted  no  studies  that  track  the  reliability  of 
these  diesels.  However,  the  FAA  cannot  directly  link  the  death  of  a  single  human  or  an 
aircraft  crash  to  the  failure  of  an  EDG  at  an  FAA  air  traffic  control  facility. 
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5.4  The  United  States  Navy 

The  use  of  EDGs  by  the  US  Navy  to  provide  backup  power  for  nuclear  reactors  on 
board  ships  is  notably  similar  to  the  use  of  EDGs  in  the  nuclear  industry.  The  Navy’s 
long  history  of  nuclear  power  utilization  has  provided  ample  opportunity  for  reassessment 
and  continual  improvement  of  its  EDG  maintenance  requirements.  A  review  of  the 
Navy’s  current  requirements  reveals  a  comprehensive  maintenance  program  as  well  as  a 
detailed  inspection  program  that  explicitly  emphasizes  non-intrusive  practices. 

5.4.1  Maintenance  History 

Until  the  late  1950s,  the  US  Navy  operated  under  a  very  reactive-type 
maintenance  environment  known  as  progressive  maintenance.  Organized  maintenance 
plans  were  rare  and  Navy  personnel  only  repaired  equipment  when  broken  or 
malfunctioning  [34].  Plaimed  preventive  maintenance  programs  became  more  widely 
adopted  in  the  early  1960s  [35].  These  programs  were  also  fairly  reactive  in  that  they 
established  maintenance  requirements  based  upon  individual  events  as  failures  occurred 
instead  of  developing  a  generalized  program  that  workers  could  apply  to  all  equipment. 

The  Navy  established  preventive  maintenance  programs  because  of  a  belief  that 
this  type  of  maintenance  would  combat  the  decreased  reliability  associated  with  the 
increasing  age  of  equipment.  However,  studies  done  in  the  mid-1960s  revealed  that 
unreliability  did  not  increase  dramatically  with  the  age  of  the  equipment.  In  fact,  the 
largest  problem  identified  with  these  studies  was  the  problem  of  high  failure  rates  of 
equipment  following  maintenance  (infant  mortalities).  This  discovery  prompted  the  navy 
to  search  for  a  more  systematic  approach  to  developing  preventive  maintenance  task 
needs. 

In  the  early  70’s,  the  Department  of  Defense  adopted  a  maintenance  technique 
first  utilized  by  the  airlines  in  the  maintenance  program  for  the  Boeing  747.  This 
technique  utilized  a  decision  tree  to  identify  critical  maintenance  tasks  which  affected  the 
unreliability  of  operations.  This  efficient  and  systematic  approach  to  preventive 
maintenance  was  first  applied  by  the  Navy  to  its  newly  designed  aircraft.  Shipboard 
implementation  of  this  method  occurred  in  1978  and  was  termed  Reliability-Centered 
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Maintenance  (RCM)  by  the  Navy.  Currently,  RCM  still  forms  the  basis  for  maintenance 
performed  on  shipboard  Naval  equipment. 

The  objective  of  RCM  is  to  maintain  the  inherent  reliability  of  the  equipment 
design.  RCM  avoids  focusing  directly  on  subsystems  and  individual  equipment  and 
instead  concentrates  on  identifying  functionally  significant  items.  Maintenance  planners 
must  then  determine  maintenance  tasks  for  these  items  based  on  an  analysis  of  their 
function  and  dominate  failure  modes.  Once  the  planners  select  a  task,  they  can  then 
determine  the  specifics  of  an  inspection  item  like  its  periodicity.  Today  these 
maintenance  tasks  fall  into  the  following  three  categories:  l)time-directed  tasks, 
2)condition-directed  tasks,  or  3)the  do  nothing  option.  Personnel  must  perform  time- 
directed  tasks  at  specific  intervals  without  consideration  of  other  variables.  Condition- 
directed  tasks  are  performed  by  workers  at  specific  intervals  or  after  a  number  of  specific 
events  and  then  observed  conditions  are  compared  with  an  appropriate  standard.  Finally, 
RCM  may  determine  that  the  best  maintenance  strategy  for  a  particular  item  may  be  for 
no  maintenance  on  a  particular  item. 

In  order  to  develop  a  schedule  for  condition-directed  tasks,  the  Navy  utilized  a 
tool  called  age-reliability  analysis.  Age-reliability  analysis  is  a  set  of  techniques  that 
identify  the  relationship  between  system  or  equipment  probability  of  failure  and  elapsed 
times  since  its  manufacture  or  last  complete  overhaul.  The  Navy  used  this  technique  in 
the  early  1980s  to  establish  maintenance  schedules  for  the  few  maintenance  tasks  that 
were  not  time-based. 

Recently,  the  Navy  sinnounced  that  it  will  move  increasingly  towards  condition- 
based  maintenance.  In  conjunction  Avith  this,  the  Navy  resumed  work  on  age-reliability 
analysis.  A  report  produced  on  this  subject  in  1993  found  evidence  to  support  that 
premature  failure  following  overhaul  is  common  and  that  evidence  of  equipment  wearout 
necessitating  complete  overhaul  of  equipment  is  uncommon.  In  addition,  the  study  found 
that  routinely-authorized  overhauls  seldom  prevent  equipment  failures  [35]. 
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5.4.2  Diesel  Generator  Maintenance 

Although  the  history  of  diesel  generator  maintenance  roughly  follows  the  overall 
maintenance  history  of  the  Navy,  there  is  one  important  difference.  In  1987,  the  Navy 
established  a  formal  program  to  provide  routine  inspections  of  all  diesel  engines  by 
qualified  Diesel  Engine  Inspectors  (DEI).  The  Navy  established  this  unique  program  as  a 
result  of  an  acknowledgment  by  the  Navy  that  a  standardized  method  of  assessment  was 
needed  for  this  vital  piece  of  equipment.  The  DEI  program  is  not  only  a  successful 
inspection  program  but  also  establishes  a  central  group  of  experts  that  Naval  personnel 
can  call  upon  to  troubleshoot  diesel  problems  at  any  time  [36, 37]. 

5.4.3  US  Navy  Diesel  Inspection 

Every  operational  diesel  engine  in  the  Navy’s  inventory  must  imdergo  a  diesel 
inspection  by  a  certified  DEI  every  18  months.  This  comprehensive  inspection  includes 
the  following  three  phases: 

I)  Review  of  Records  —  This  phase  includes  a  complete  review  of  the  engine 
maintenance  history,  operating  logs,  trend  analysis,  and  training  of  the  engine 
operators. 

II)  Secured  Inspection  —  This  is  a  disassembly  inspection  of  the  diesel  based  on 
the  results  of  the  Review  of  Records.  All  or  part  of  the  Secured  Inspection  may 
be  waived  at  the  inspector’s  discretion.  If  this  phase  is  required,  the  inspector 
decides  the  degree  of  disassembly  and  conducts  a  thorough  evaluation  of  the 
internal  condition  of  the  engine. 

III)  Operating  Inspection  -  The  DEI  conducts  a  thorough  review  of  the  engine 
operating  parameters  using  appropriate  technical  manuals  as  a  guide  [38]. 

The  Secured  Inspection  phase  is  similar  in  makeup  to  the  nuclear  industry  ROI  - 
except  that  manuals  dictating  the  conduct  of  this  inspection  repeatedly  emphasize  to  the 
DEIs  that  they  should  “Keep  teardown  to  the  absolute  minimum  required  to  accomplish 
and  adequate  inspection  [36].”  This  attitude  was  also  expressed  repeatedly  by  a  DEI 
throughout  the  observation  of  one  such  inspection  that  took  place  on  board  a  US  Navy 
submarine.  The  DEI  conducting  this  inspection  was  careful  to  point  out  the  merits  of 
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minimum  intrusion  to  the  emergency  diesel.  He  also  pointed  out  non-intrusive 
evaluations  of  the  diesel  that  can  identify  possible  problems  within  the  diesel  [37]. 

One  specific  issue  addressed  by  the  DEI  was  that  of  borescoping  of  the  cylinder 
liners.  Although  horoscope  equipment  is  available  within  the  Navy,  inspectors  hardly 
ever  use  this  technology  because  of  its  intrusive  nature.  The  Navy  only  horoscopes  its 
cylinders  if  there  are  indications  that  a  cylinder  is  malfunctioning,  at  which  point  the 
Navy  judges  that  the  intrusiveness  is  justified. 

An  additional  goal  of  the  DEI  program  is  to  reduce  the  incidence  of  human  error- 
induced  failure.  Of  the  few  EDO  overhauls  that  the  interview  DEI  could  recall  taking 
place,  a  majority  of  them  were  required  because  of  some  type  of  human  error  or  intrusion. 
One  particular  overhaul,  which  cost  the  Navy  $7.5  million,  was  attributed  to  the 
introduction  of  a  candy  wrapper  into  a  submarine’s  EDO.  The  Navy  hopes  that  the 
presence  of  the  DEI  during  the  diesel  inspection  provides  a  bamer  to  these  types  of 
human  errors. 

The  official  DEI  handbook  contains  the  Secured  Inspection  phase  worksheet  for 
all  Colt-Pielstick  diesels  utilized  by  the  Navy.  Although  this  inspection  worksheet 
applies  to  both  standby  and  propulsion  diesels,  the  DEI  tailors  the  scope  and  depth  of 
each  inspection  to  fit  the  individual  diesel  inspection  [36]. 

5.4.4  US  Navy  Automated  Diesel  Engine  Trend  Analysis  Program 

The  US  Navy  recently  implemented  the  Automated  Diesel  Engine  Trend  Analysis 
(ADETA)  program  on  board  US  ships  to  provide  a  means  to  collect  and  analyze  diesel 
engine  operating  parameters.  ADETA  was  designed  by  the  Navy  to  provide  a  means  of 
effectively  monitoring  engine  operation  as  well  as  determining  the  need  for  corrective 
maintenance  and  overhaul  [39]. 

ADETA  is  an  automated,  personal  computer-based  system  that  is  capable  of 
tracking  several  different  engine  parameters  including  exhaust  temperature,  crankcase 
pressure  and  vacuum  and  lube  oil  pressure.  Although  this  program  is  capable  of 
troubleshooting  parameters  considered  outside  of  established  parameter  bounds,  it  has 
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received  some  criticism  for  its  inability  to  identify  harmful  trends  that  remain  inside 
allowed  parameter  bounds.  Currently,  diesel  operators  must  still  identify  harmful  trends. 

5.4.5  Diesel  Overhaul 

The  results  of  the  inspection  performed  by  the  DEI  and  information  gathered  from 
ADETA  form  the  basis  for  determining  the  need  for  a  diesel  engine  overhaul.  Navy 
diesel  experts  stated  that  such  overhauls  usually  apply  only  to  diesels  used  for  propulsion 
and  are  rarely  performed  on  emergency  diesels.  In  fact,  most  Navy  EDGs  go  without  an 
overhaul  for  the  life  of  the  ship  which  can  be  as  long  as  30  years.  The  DEI  whom  we 
interviewed  judged  that  this  excellent  record  can  be  attributed  to  the  expertise  and 
standardization  which  the  diesel  inspection  program  provides  [37,  38]. 

5.4.6  Enforcement 

While  each  Navy  ship  owns  and  operates  its  own  EDG,  that  diesel  is  subject  to 
Navy-wide  standards.  The  DEI,  while  a  member  of  the  Navy,  is  not  subject  to  the  ship’s 
authority.  The  Navy  instituted  this  arrangement  in  order  to  diminish  the  possibility  of  a 
conflict  of  interest  between  the  ship’s  leaders  and  its  diesel  operators.  A  failure  to 
comply  with  the  diesel  inspection  program’s  requirements  can  result  in  the  ship  being 
removed  from  active  service  in  the  Navy.  Although  this  action  may  seem  drastic,  a 
failure  of  the  diesel  could  result  in  a  loss  of  life  onboard  ship  or  loss  of  the  entire  ship. 
Such  an  event  could  affect  the  Navy’s  ability  to  defend  the  United  States  against  its 
enemies  [37]. 

5.4.7  US  Navy  EDG  Summary 

The  United  States  Navy  has  taken  a  systematic  approach  to  improving  the 
reliability  of  the  EDGs  onboard  its  warships.  Maintenance  practices  have  continually 
evolved  to  incorporate  available  technology  to  the  point  that  Navy  EDGs  rarely  need 
overhauls.  This  can  be  attributed  in  part  to  a  comprehensive  inspection  program  that 
emphasizes  non-intrusive  procedures  and  provides  each  diesel  with  a  pool  of  trained 
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experts.  This  program  has  produced  an  impressive  record  of  high  availability  and  has 
attempted  to  address  the  problems  of  non-availability  associated  with  human  error. 

5.5  Inspection  Requirement  Comparison 

Although  each  of  the  major  non-nuclear  industry  groups  reviewed  here  differ 
significantly  in  the  ways  in  which  their  maintenance  and  inspection  requirements  occur, 
they  otherwise  share  fundamental  similarities.  First,  and  most  importantly,  all  three 
groups  rarely  perform  overhauls  on  their  respective  diesel  engines.  These  groups  perform 
inspections  regularly  but  emphasize  non-intrusive  practices.  Many  inspection  items  are 
visual  and  depend  increasingly  on  use  of  modem  engine  analysis  equipment. 

All  of  the  similarities  cited  above  contrast  distinctly  with  nuclear  power  industry 
EDO  practices  and  ROI  requirements.  Although  it  would  be  an  exaggeration  to  term  the 
ROI  a  “major  overhaul,”  it  does  require  a  significant  amount  of  disassembly,  being  well 
beyond  the  amount  required  by  the  non-nuclear  power  industry  groups.  A  detailed 
review  of  individual  inspection  items  revealed  that  many  of  the  items  required  by  the  ROI 
are  performed  on  a  discretionary  basis  in  the  non-nuclear  industry  groups.  Table  5.1 
presents  this  comparison. 

The  first  column  of  Table  5.1  contains  the  items  identified  by  the  MP-3  diesel 
engineer  as  benefiting  from  elimination  or  change.  Numbers  listed  in  this  column  refer  to 
the  current  ROI  numbering  system.  The  second  column  contains  those  items  found  in  the 
Navy’s  EDO  inspection  and  overhaul  requirements  that  compare  with  the  ROI  items. 

The  numbered  items  in  this  column  come  from  the  DEI  handbook  and  must  be  performed 
by  Naval  personnel  once  every  18  months.  The  remaining  items  in  the  second  column 
are  Navy  overhaul  requirements.  The  final  column  contains  FAA  maintenance  and 
inspection  requirements  similar  to  the  ROI  items.  Numbers  found  in  this  column  are 
maintenance  requirement  numbers  utilized  by  the  FAA. 

A  quick  survey  of  Table  5.1  reveals  that  a  majority  of  the  items  in  the  Navy 
column  eire  visual  checks  or  items  performed  only  during  a  major  overhaul.  The  FAA 
column  is  also  filled  with  visual  checks  and  items  referred  to  as  incidental.  The  term 
incidental  refers  to  items  that  the  FAA  performs  on  a  discretionary  basis.  Although  there 
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is  a  general  trend  of  non-intrusive  or  discretionary  items  in  columns  two  and  three,  the 
crankshaft  measurements  are  a  notable  exception.  The  MP-3  engineer  judged  that  this 
requirement  was  very  intrusive  to  the  diesel  and  could  be  replaced  with  engine  and  oil 
analysis  [21].  The  Navy  DEI  considered  the  crankshaft  measurements  to  be  important  to 
his  inspection.  At  this  time,  however,  the  Navy  does  not  utilize  analysis  equipment 
capable  of  detecting  crankshaft  problems. 


MP-3  CoIt-PielstickROI 
Items  Recommended  for 
Change* 

Corresponding  US  Navy 
Requirements^ 

Corresponding  FAA 
Standby  Generator 
Requirements^ 

2.  Remove  and  check  injection 
nozzles  for  operation  and 
opening  pressure. 

7.a:  Check  and  record  injector  fuel 
pump  timing  on  at  least  two  cylinders 
on  each  bank. 

(18  months) 

206.a:  Clean  and  service  fuel 
injectors  if  required. 

(Annually) 

3.  Remove,  disassemble,  clean 
and  repair  all  air  start  valves  and 
air  start  distributors. 

Install  complete  set  of  injection 
equipment.  (Major  overhaul) 

203. d;  Inspect  starter. 

(Biennially) 

4.  Drain  and  refill  governor  and 
turbochargers  with  approved  oil. 

3. a:  Visually  inspect  turbocharger  oil 
level  and  condition  of  oil  through 
sightglasses.  (18  months) 

7.b:  Check  governor  oil  level  and  oil 
leakage  around  base  of  governor. 
Visually  inspect  oil  condition  through 
sightglass.  (18  months) 

203. b:  Drain  and  replace  oil  in 
hydraulic  governor  sump  every 
two  years,  or  after  200  hours  of 
operation,  whichever  comes 
first. 

9.  Check  for  tightness  of 
exhaust  manifold  flange  bolts  to 
cylinder  head  (165-195  ft.lbs). 

4.a:  Visually  examine  exhaust  system 
for  leaks  during  operational  test.  (18 
months) 

201.i:  Examine  exhaust  and 
combustion  air  systems  for 
leaks.  (Monthly) 

1 1 .  Borescope  all  cylinder 
liners. 

Remove  all  cylinder  liners.  (Major 
overhaul) 

Discretionary 

14,  Perform  camshaft  bearing 
analysis. 

Remove,  inspect,  and  repair/replace 
camshaft  bearings.  (Major  overhaul) 

Discretionary 

15.  Check  crankshaft  alignment 
and  bearing  clearances. 

2.m:  Take  a  complete  set  of 
crankshaft  deflection  readings  and 
bearing  presses. 

(18  months) 

Discretionary 

19.  Check  alternator  coils  and 
poles  for  indication  of 
movement  (visual). 

No  reference. 

Discretionary 

Table  5.1  Refueling  Outage  Inspection  Items  Recommended  for  Improvement  Listed  in 
Comparison  to  Practices  in  Other  Industries  Employing  EDGs 
('current  ROI  requirements  [16]  ^numbering  refers  to  items  found  in  Navy  Diesel  Engine  Inspection 
handbook  [35]  ^numbering  refers  to  items  found  in  FAA  maintenance  manual[30]) 
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5.6  Summary 

A  review  of  non-nuclear  industry  EDG  inspection,  maintenance,  and  overhaul 
requirements  reveals  that  their  programs  emphasize  non-intrusive,  visual  inspections. 
When  contrasted  with  the  ROI  requirements  at  MP-3,  these  observations  validate  the 
nuclear  experts’  opinions  that  the  ROI  items  are  too  intrusive  and  based  upon  unsound 
engineering  practices. 
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Chapter  6  -  ROI  Implementation  Risk  and  Reliability 
Implications 


6.1  Introduction 

The  project  on  Integrated  Models,  Data  Bases  and  Practices  Needed  for 
Performance-Based  Safety  Regulation  focuses  on  three  practices  that  affect  the  reliability 
of  the  EDGs  and  their  related  systems  as  seen  in  Table  6.1.  Monitoring,  testing,  and 
inspecting  are  common  practices  utilized  in  numerous  engineering,  applications.  Each  of 
these  practices  are  utilized  extensively  for  maintaining  the  diesels  at  MP-3.  We  carefully 
reviewed  the  practices  currently  in  place  at  MP-3  and  proposed  changes  in  these  practices 
based  on  industry  comparison  and  expert  opinion.  Subsequent  risk  and  reliability 
analyses  were  then  performed  in  order  to  identify  potential  improvements  resulting  from 
the  altered  practices.  This  chapter  presents  the  risk  and  reliability  implications  of  altered 
inspection  practices.  Dulick’s  report  details  the  risk  and  reliability  implications  of  altered 
monitoring  and  testing  practices  [3]. 

Our  survey  of  expert  opinion  has  shown  that  the  proposed  improved  ROI  will 
produce  qualitative  performance  improvements  for  the  EDGs.  In  order  to  assess  the 
quantitative  benefits  of  the  proposed  ROI  alterations,  it  is  necessary  to  calculate  the  risk 
implications  of  the  suggested  changes.  In  the  case  of  the  ROI  alteration,  the  plant  realizes 
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PRACTICES  AFFECTING 
EDG  RELIABILITY 

WHAT  IS  DONE 

HOW  PRACTICE  AFFECTS 
RELIABILITY  OF  EDG 

MONITORING 

The  diesel  and  its  support  systems 
are  continuously  or  periodically 
monitored  and  tracked  with  sensing 
equipment  especially  during  tests. 

The  information  provided  by  this 
equipment  keeps  the  operators  of 
the  diesel  apprised  of  the  status  of 
the  EDG  and  related  systems. 

Monitoring  can  aid  EDG  operators 
in  identifying  internal  failures  or 
harmful  performance  trends  without 
the  intrusiveness  of  some  inspection 
practices.  Utilization  of  monitoring 
equipment,  however,  may  introduce 
new  failures  modes. 

TESTING 

The  diesel  is  periodically  operated 
for  a  specific  duration  of  time 
according  to  applicable  regulations. 
The  tests  provide  information  on  the 
performance  of  the  diesel  and  its 
ability  to  fulfill  its  safety  function. 

Testing  ensures  that  the  diesel  is 
able  at  the  time  of  the  test  to 
perform  its  vital  role  of  supplying 
backup  power  and  can  aid  in  the 
identification  of  failures.  Over¬ 
testing,  however,  can  unnecessarily 
stress  the  diesel.  Use  of  improper 
testing  intervals  and  run  times,  as 
well  as  the  limitations  of  some  tests, 
can  prevent  identification  of 
inipbrtant  failure  modes. 

INSPECTION 

The  diesel  and  related  systems  are 
periodically  inspected  in  order  to 
identify  excessive  wear  and  latent 
failures.  Inspection  also  ensures 
that  preventive  maintenance  is  being 
performed  correctly. 

Inspecting  the  EDG  can  aid  in  the 
prevention  of  failures  due  to  wear  or 
poor  manufacture.  Improper  or 
over-inspecting,  however,  can 
introduce  failure  through  part 
warping,  improper  disassembly  or 
reassembly  and  numerous  other 
possible  human  errors. 

Table  6.1  Practices  Affecting  EDG  Reliability 


a  net  benefit  as  a  result  of  changes  in  the  various  risk  factors  affected  by  the  proposed 
changes. 

In  order  to  estimate  these  risk  changes  we  first  perform  a  time  savings  calculation 
in  order  to  assess  the  risk  benefits  realized  within  the  refueling  outage.  The  significant 
time  savings  realized  by  an  improved  ROI  positively  impact  the  fuel  melt  fi-equency 
(FMF)  of  MP-3,  as  well  as  the  qualitative  level  of  defense  in  depth  (DID)  in  the  plant. 
Although  a  shortened  ROI  does  not  affect  the  critical  scheduling  path  of  MP-3, 
calculations  show  that  this  is  a  possible  future  benefit  realized  by  the  plant.  It  also  affects 
EDG  availability,  which  has  an  effect  upon  other  allowed  activities  and  their  risk. 
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A  sensitivity  analysis  of  the  reliability  improvements  associated  with  the 
Improved  Refueling  Outage  Inspection  (IROI)  reveals  significant  potential  reduction  of 
the  EDG  system  failure  probability.  In  addition  to  this,  we  present  the  results  of  a  similar 
analysis  of  the  effects  of  increased  EDG  monitoring  and  its  use  as  justification  for  an 
increase  in  EDG  surveillance  interval  and  a  change  of  test  duration. 

6.2  Time  Savings  Calculation 

Here  we  calculate  the  time  savings  associated  with  the  IROI.  This  calculation  is 
an  essential  part  of  our  analysis  as  the  resulting  time  savings  impact  both  the  fuel  melt 
frequency  of  the  plant  and  the  defense  in  depth  in  the  plant. 

A  team  of  workers  that  includes  mechanics,  laborers,  a  Colt-Pielstick  service 
representative,  and  the  diesel  engineer  perform  the  ROI  and  associated  maintenance  at 
MP-3.  At  any  given  time,  there  are  three  to  four  workers  executing  the  planned  ROI 
items.  With  these  workers  laboring  around  the  clock  in  staggered  ten  hour  shifts,  the  ROI 
for  each  EDG  is  completed  by  the  laborers  in  about  seven  days. 

In  order  to  calculate  the  man-hour  savings  realized  by  the  IROI,  we  asked  the 
MP-3  diesel  engineer  to  give  his  best  estimate  of  the  number  of  workers  and  time 
currently  required  to  perform  the  individual  items  that  he  recommended  for  alteration 
[21].  We  calculated  the  total  time  saved  for  each  item  altered  according  to  Equation  6.1. 

^  Laborers^  Time^  f  Periodicity^ 
i^^Requiredy  vSavedy  V  Factor  > 

The  Periodicity  Factor  (PF)  contained  in  Equation  6.1  is  a  positive  multiplicative  factor, 
less  than  or  equal  to  unity,  which  indicates  the  frequency  at  which  inspection  items  are 
currently  performed.  The  PF  is  equal  to  imity  for  items  the  ROI  requires  every  refueling 
outage.  Items  recommended  for  periodicity  extension  to  once  every  other  refuel  have  a 
PF  equal  to  one  half. 

Table  6.1  contains  the  MP-3  diesel  engineer’s  estimates  of  the  time  savings 
associated  with  individual  inspection  item  alteration.  Additionally,  Table  6.1  contains  the 


''Total  Time^ 
Saved 


(6.1) 
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diesel  engineer’s  estimate  of  the  number  of  workers  involved  with  the  individual 
inspection  items.  Utilizing  Equation  6.1,  this  information  is  then  used  to  find  the  total 
time  saved  for  each  altered  inspection  item.  The  results  of  the  calculation  can  also  be 

found  in  Table  6.2. 


Item# 

From 

Current 

ROI 

Checklist 

CURRENT 

requirement 

LABORERS 

REQUIRED 

TIME 

REQUIRED 

TOTAL  TIME 
SAVED  BY 
ALTERATION  OF 
THIS  ACTIVITY 

2 

Remove  and  check  injection 
nozzles  for  operation  and 
opening  pressure. 

Remove,  disassemble,  clean 
and  repair  all  air  start  valves 
and  air  start  distributors. 

2  workers 

30  hours 
(3  shifts) 

60  hours 

3* 

2  workers 

15  hours 
(1.5  shifts) 

*15  hours 

4* 

Drain  and  refill  governor 
and  turbochargers  with 
approved  oil. 

1  worker 

1  hour 

*0.5  hours 

9 

Check  for  tightness  of 
exhaust  manifold  flange 
bolts  to  cylinder  head  (165- 
195  ft.lbs). 

2  workers 

10  hours  1 

(1  shift) 

20  hours 

11 

Borescope  all  cylinder  liners. 

1  worker 

8  hours 

8  hours 

14* 

Perform  camshaft  bearing 
analysis. 

1  worker 

6  hours 

*3  hours 

15 

Check  crankshaft  alignment 
and  bearing  clearances. 

2  workers 

20  hours 
(2  shifts) 

40  hours 

19 

Check  alternator  coils  and 
poles  for  indication  of 
movement  (visual). 

3  workers 

20  hours 
(2  shifts) 

60  hours 

' 

TOTAL 

206.5  hours 

Table  6.2  Factors  of  Estimated  IROI  Labor  Time  Savings 

Based  upon  the  MP-3  diesel  engineer’s  estimates  of  individual  item  time  savings, 
the  total  person-hour  savings  associated  with  the  IROI  is  206.5  man-hours.  This  value.is 
the  total  of  the  estimated  labor  hours  located  in  column  5  of  Table  6.2.  We  note  starred 
items  with  a  Periodicity  Factor  not  equal  to  unity  in  order  to  highlight  their  uniqueness. 
For  example.  Item  3,  disassembly  and  cleaning  of  the  air  start  valves,  usually  requires 
approximately  30  person-hours  to  perform.  The  IROI  involves  only  inspecting  half  of  the 
valves  during  each  inspection,  which  requires  only  15  man-hours  to  perform.  Thus  we 
entered  the  1 5  hour  estimate  in  Table  6.2. 
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In  order  to  arrive  at  a  time  estimate  that  is  useful  for  risk  analysis  calculations,  we 
must  translate  the  total  man-hour  savings  into  saved  inspection  hours.  This  is  done  by 
dividing  the  total  man-hour  savings  by  the  number  of  workers  performing  the  inspection 
at  any  one  time  as  indicated  in  Equation  6.2. 


/'Total  Time'^ 
V  Saved  . 


f  Number  of  Workers  ^ 
vPerforming  Inspection/ 


^Inspection  Hours' 
<  Saved 


(6.2) 


The  MP-3  diesel  engineer  indicated  that  three  to  four  workers  are  performing  the 
inspection  at  any  given  time.  For  this  evaluation,  we  used  the  average  number  of 
workers,  or  3.5  workers,  as  the  number  of  workers  performing  the  inspection.  Using  this 
average  number  of  workers  results  in  59  inspection  hours  saved  or  approximately  2.46 
inspection  days  saved. 

The  MP-3  diesel  engineer  indicated  that  the  inspection  team  usually  completes  the 
current  ROI,  which  is  typically  scheduled  for  a  seven  day  period,  within  five  days.  He 
estimated  that  an  improved  ROI  that  adopts  the  proposed  alterations  could  be  scheduled 
for  five  days  and  would  actually  take  about  three  days  to  complete  [21].  The  above 
calculations  indicate  that  the  improved  ROI  will  take  about  2.54  days  to  complete 
(estimated  five  days  less  2.46  inspection  days  saved)  indicating  that  the  MP-3  diesel 
engineer’s  estimate  is  slightly  conservative. 

We  use  a  time  savings  of  59  hours  throughout  this  work  to  estimate  the  IROI’s 


impact  on  risk. 


6.3  Defense  in  Depth 

Concern  within  the  nuclear  power  industry  regarding  the  adequacy  of  Technical 
Specification  (TS)  requirements  during  plant  outages  prompted  our  review  of  the 
development  and  bases  for  these  regulations.  This  review,  along  with  a  survey  of 
industry  experience,  found  that  the  NRC  did  not  base  TS  for  shutdown  conditions  upon 
exhaustive  safety  analyses  like  those  required  for  operations  at  power.  This  discovery 
prompted  the  formulation  of  additional  system  requirements  designed  effectively  to 


61 


outage  risk  [40, 41],  Defense  in  depth  (DID),  a  strategy  commonly  used  by  the 
military  to  protect  vital  assets,  is  one  concept  adopted  by  the  nuclear  power  industry  in 
order  to  compensate  for  uncertainty  in  the  TS.  Today  the  NRC  endorses  and  encourages 

the  use  of  this  refueling  outage  planning  strategy. 

The  DID  concept  as  utilized  at  MP-3  aids  in  the  planning  and  scheduling  of 
outage  activities  in  a  manner  that  improves  safety  system  availability.  At  MP-3,  outage 
planners  use  DID  as  a  risk  management  criterion  in  order  to  ensure  that  redundant, 
alternate  or  diverse  methods  are  used  to  ensure  that  the  Key  Safety  Functions  (KSF)  of 
the  plant  are  protected  [42]. 

The  KSF  concept  is  an  additional  risk  management  approach  that  requires  MP-3 
to  identify  the  safety  systems  that  are  essential  for  safe  operation  during  an  outage.  The 
KSF  at  MP-3  are  the  Decay  Heat  Removal,  Inventory,  Containment,  Electrical  Power, 
and  Reactivity  control  systems.  For  each  of  these  functions,  MP-3  established  a  set  of 
color-coded  DID  criteria  that  defines  a  level  of  protection  as  follows; 

Green  —  Signifies  a  condition  in  which  equipment  or  system  redundancy  is 
greater  than  the  minimum  DID  standard. 

Yellow  —  Signifies  a  condition  in  which  equipment  or  system  redundancy  is 
is  equal  to  the  minimum  DID  standard. 

Orange  -  Signifies  a  condition  in  which  equipment  or  system  redundancy  is 
is  one  requirement  less  than  the  minimum  DID  standard. 

Red  —  Signifies  a  condition  in  which  equipment  or  system  redundancy  is 
is  two  or  more  requirements  less  than  the  minimum  DID  standard. 

Guidance  for  the  establishment  of  actual  DID  levels  for  the  KSF  is  provided  by 
the  NUMARC  91-06  document.  Guidelines  for  Industry  Actions  to  Assess  Shutdown 
Management  [43].  The  minimum  DID  power  availability  condition  (yellow  status) 
requires  the  maintenance  of  one  available  EDG  and  one  offsite  power  source  as  well  as 
one  backup  power  source.  At  MP-3,  the  offsite  power  sources  include  the  normal  station 
transformer  (NSST)  and  the  ‘A’  reserve  station  transformer  (RSST).  Backup  power 
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sources  at  MP-3  include  the  unused  EDG,  the  redundant  offsite  power  source  and  the 
station  blackout  diesel  (SHOD).  The  SHOD  is  a  non-safety  grade  diesel  capable  of 
carrying  a  limited  number  of  critical  safety  loads  that  can  be  started  should  both  the  A 
and  B  EDG  fail  under  Loss  of  Offsite  Power  (LOOP)  conditions,  thereby  leading  to  a 
station  blackout  condition.  Figure  6.1  is  the  Shutdown  Safety  Assessment  Checklist  used 
by  MP-3  to  determine  its  DID  level  for  power  supply  redundancy. 


Time: 

IV. 

Power  Availability 

Need  at  least  one  offsite  source. 

one  EDG,  and  one  other. 

TOTAL 

CONDITION 

□ 

AEDG(l)  _ 

0-1 

Red 

□ 

BEDG(l)  _ 

2 . 

Orange 

□ 

RSST  (1)  _ 

3 

Yellow 

□ 

NSSTMAIN  (1)  _ 

-  A.  ^ 

rvTPpTi 

□ 

Station  Blackout  EDG  (1)  _ 

H  -  3 

VJX  w  wJLl 

Power  Total 

□ 

Figure  6.1  MP-3  Shutdown  Safety  Assessment  Checklist  for 
Emergency  Power  Redundancy  [42] 

MP-3  outage  planners  never  deliberately  plan  to  exceed  the  minimum  DID  level 
when  determining  the  outage  schedule.  In  other  words,  the  plant  will  only  enter  orange 
and  red  DID  levels  inadvertantly,  as  when  equipment  is  unexpectedly  removed  from 
service  or  when  scheduled  maintenance  is  not  completed  in  the  allotted  time.  At  MP-3, 
the  goal  of  outage  plaimers  is  to  remain  in  the  green  DID  space  as  much  as  possible  [41]. 

During  the  April  1995  refueling  outage,  the  maintenance  and  inspection  of  the 
electrical  power  supply  system  was  scheduled  for  61 1  hours.  Of  this  61 1  hours,  230 
hours  were  scheduled  for  DID  level  yellow  while  the  remaining  381  hours  were 
scheduled  for  DID  level  green.  These  hours  correspond  to  62.4%  at  DID  level  green  and 
37.6%  at  DID  level  yellow  during  the  electrical  power  supply  system  maintenance  period. 
Figure  6.2  details  the  DID  levels  scheduled  during  MP-3’s  1995  outage.  This  figure 
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provides  a  compacted  view  of  the  refueling  outage  schedule  found  in  Figure  3.2  with 
overlapping  scheduled  maintenance  superimposed  onto  a  stogie  time  bar.  The  resulUng 
figure  indicates  the  periods  of  time  in  which  equipment  outages  result  In  different  DID 
levels.  Additionally,  this  figure  indicates  the  equipment  outages  that  result  in  a  yellow 

DID  level  [20]. 


6.3.1  Defense  in  Depth  Improvements 

Significant  defense  in  depth  improvements  are  realized  when  we  apply  the  IROI 

time  savings  to  the  outage  schedule. 

In  1995,  the  outage  times  for  the  A  and  B  EDGs  were  170  hours  and  172  hours, 
respectively.  Application  of  the  IROI  time  savings  shortens  these  outages  to  1 1 1  hours 
for  the  A  EDG  and  1 13  hours  for  the  B  EDG.  Figure  6.2  indicates  three  periods  when  the 
plant  was  in  DID  level  yellow.  The  first  and  third  yellow  DID  levels  are  directly  affected 
by  the  shortened  EDG  inspections.  The  second  DID  level  is  not  affected  by  the  shortened 
EDG  inspection  because  the  B  EDG  is  out  of  service  as  a  consequence  of  the  outage  of 
bus  34D,  not  because  the  B  EDG  is  non-operable  due  to  maintenance.  Figure  6.3  shows 
the  1995  Refueling  Outage,  modified  due  to  application  of  the  IROI.  It  indicates  a 
reduction  of  the  yellow  DID  level  due  to  the  time  saving  associated  with  the  changed 

EDG  inspection. 

Figure  6.3  shows  that  the  first  yellow  DID  level  found  to  Figure  6.2  is  entirely 
eliminated  as  a  consequence  of  the  shortened  EDG  inspection  of  the  B  EDG.  The  second 
yellow  DID  level  of  Figure  6.2  is  left  unchanged  because  of  the  “out  of  service”  status  of 
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Figure  6.3  IROI-Modified  1995  Refueling  Outage  DID  Levels 


bus  34D.  The  shortened  A  EDO  inspection  reduces  the  final  yellow  DID  level  from  135 
hours  to  82  hours. 

Further  reduction  of  the  last  yellow  DID  level  is  limited  by  the  outage  of  bus  34C. 
Bus  34C  has  the  same  effect  upon  the  A  EDO  that  bus  34D  has  upon  the  B  EDO  in  that 
its  outage  renders  its  associated  EDO  essentially  non-operational.  Buses  34D  and  34C 
both  transmit  power  generated  by  the  EDGs  to  the  vital  safety  loads.  If  they  are 
incapable  of  transmitting  this  power,  the  status  of  the  EDG  is  irrelevant  to  whether  the 
system  can  provide  electric  power.  The  limitations  placed  upon  further  DID  level 
improvement  as  a  result  of  the  bus  outages  indicate  that  further  time  savings  associated 
with  the  EDG  inspections  would  produce  no  further  DID  level  improvement.  In  other 
words,  the  currently  proposed  IROI  results  in  the  maximum  DID  improvement  possible 

due  to  alteration  of  the  EDG  inspections. 

The  DID  levels  shown  in  Figure  6.3  result  in  an  overall  green  DID  level  increase 
to  73.3%  of  the  total  outage  reflecting  an  improvement  of  17.5%.  This  large  increase 
indicates  a  significant  DID  capability  improvement.  Essentially,  MP-3  would  remain  at 
the  highest  level  of  DID  for  almost  three  quarters  of  the  electrical  system  outage.  Table 
6.3  further  summarizes  the  DID  level  improvements  associated  with  the  IROI. 
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Outage 

Inspection 

Requirements 

DID  Level  Green 

(hours/%) 

DID  Level  Yellow 

(hours/%) 

ROI 

381  hours  /  62.4%  1 

230  hours  /  37.6% 

IROI 

448  hours  /  73.3% 

163  hours  /  26.7% 

Table  6.3  DID  Level  Comparisons  for  the  1995  Refueling  Outage  Subject  to  ROI  and 

IROI  Requirements,  Respectively 

6.4  Refueling  Outage  Risk  Improvement 

Risk  reductions  during  the  refueling  outage  of  a  plant  are  two-fold  when  MP-3 
utilizes  a  shortened  EDO  inspection.  Initially,  the  IROI  will  alter  the  risk  proftle  of  a 
plant’s  scheduled  outage  resulting  in  a  lower  probability  of  fuel  damage.  A  shortened 
inspection  can  also  conceivably  shorten  the  critical  path  of  the  refueling  outage  yielding 

significant  economic  benefits  for  the  plant. 

The  primary  measure  of  risk  during  a  plant  refueling  outage  is  the  risk  of  fuel 
damage.  While  the  plant  is  in  a  shutdown  status,  the  spent  fuel  must  be  continuously 
cooled  until  it  is  removed  from  the  core.  This  cooling  process  is  accomplished  through 
the  constant  circulation  of  a  coolant  through  the  reactor  vessel.  A  loss  of  cooling  will 
result  in  eventual  boiling  and  evaporation  of  the  coolant.  If  cooling  is  not  restored  (an 
action  highly  dependent  upon  human  intervention),  the  coolant  will  continue  to  evaporate 
until  the  fuel  is  exposed  at  which  point  the  fuel  is  damaged.  The  three  primary  modes  of 
failure  that  can  cause  eventual  damage  of  the  fuel  during  a  refueling  outage  can  be  seen  m 
Figure  6.4.  The  loss  of  cooling  fault  tree  displayed  here  shows  that  the  three  modes  of 
failure  are  loss  of  coolant  flow,  loss  of  heat  sink,  and  loss  of  coolant.  Both  the  loss  of - 
coolant  and  loss  of  coolant  flow  modes  depend  heavily  upon  the  proper  function  of 
pumps.  In  the  case  of  a  loss  of  offsite  power,  these  pumps  depend  upon  the  proper 
function  of  the  EDGs.  When  the  EDGs  are  unavailable  due  to  maintenance  or  testmg,  the 
risk  of  fuel  damage  increases  significantly  [40].  This  aspect  of  diesel  unavailability  can 
be  clearly  seen  in  the  risk  profiles  in  the  following  section. 
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Figure  6.4  Fuel  Loss  of  Cooling  Fault  Tree 


6.4.1  MP-1  Risk  Profile 

Although  MP-3  produced  a  risk  profile  for  its  1995  refueling  outage,  the  nsk 
profile  generated  is  a  relative  representation  of  risk,  with  no  calculated  base-line  nsk 
being  estimated  [41].  In  addition  to  this  qualitative  risk  profile,  a  computer  program  is 
utilized  at  MP-3  that  quantifies  the  core  damage  frequency.  This  program,  however,  was 
found  not  to  be  useful  by  Millstone  PRA  experts  because  of  its  extreme  conservatism 
[40].  Consequently,  no  reliable  risk  quantification  tools  are  available  for  MP-3’s  1995 

refueling  outage. 

Despite  this  lack  of  analytical  capability.  MP-3  will  still  gain  risk  reducations 

with  utilization  of  a  shortened  inspection.  The  EDQs  are  one  of  the  largest  eontrlbutors 
to  risk  when  the  plant  is  operating  at  power  and  during  the  refueling  outage.  Any 
reduction  in  the  un-availability  of  the  EDO  will  decrease  the  overall  probability  of  core 

damage.  This  is  typical  of  all  plants  in  the  US. 

In  order  to  demonstrate  the  potential  improvements  of  a  shortened  EDO 
inspection,  we  use  the  risk  profile  of  MP-l’s  refueling  outage  [40, 44],  as  seen  in  Figure 
6.5,  as  a  substitute  for  the  MP-3  risk  profile.  Utilization  of  the  MP-1  risk  profile  allows 
us  to  quantify  the  potential  risk  reductions  associated  with  the  IROI,  a  capability  that  is 
unavailable  with  the  qualitative  MP-3  risk  profile.  The  MP-1  emergency  power  system  is 
similar  to  the  MP-3  plant  in  that  it  has  two  EDGs  with  an  additional  station  blackout 
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generator  (gas  turbine  driven).  The  risk  profile  shown  was  planned  for  November  and 
December  of  1995. 

MP-1  Risk  Profile 


Figure  6.5  MP-1  1995  Fuel  Damage  Risk  Profile 

Figure  6.5  illustrates  the  many  risk  highs  and  lows  experienced  by  the  plant 
during  a  typical  refueling  outage.  The  time  bar  located  in  the  middle  of  the  chart 
represents  the  time  that  the  MP-1  EDGs  are  out  of  service  for  maintenance,  a  period  of 
approximately  17  days  or  8.5  days  per  EDG.  MP-3  removes  the  EDGs  from  service 
sequentially  so  that  only  one  diesel  is  out  of  service  at  one  time.  The  variations  m  the  . 
risk  over  the  EDG  outage  period  are  due  to  various  non-EDG  equipment  being  taken  in 
and  out  of  service  simultaneously  with  the  EDGs.  The  baseline  risk  for  MP-1,  viewed  at 
the  end  of  the  plot  in  Figure  6.5,  is  2.3e-07/day  (8.65e-05/year).  The  baseline  risk  is  the 
lowest  value  of  risk  experienced  by  MP-3  during  the  refueling  outage.  It  occurs  when 
there  is  low  decay  heat  and  all  safety  systems  and  associated  equipment  are  available  to 

the  plant. 
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The  outage  of  each  EDG  contributes  a  multiple  of  4.43  over  the  baseline  fuel 
damage  frequency  which  means  that  risk  of  fuel  damage  is  roughly  four  times  more  likely 
when  MP-3  removes  a  single  EDG  from  service.  The  overall  probability  of  fuel  damage 
during  the  49  day  refueling  outage  for  MP-1  is  7.993e-5.  This  value  is  equal  to  the  area 
under  the  risk  profile  curve.  Equation  6.3  aids  in  the  determination  of  the  EDG  outage 


^  Baseline^ 

I  Risk  J 


X  ((Relative  Risk)  - 1)  x 


''EDG  Days^ 

’Contribution  to 

Out  Of 

Total  Risk 

Service  J 

(6.3) 


contribution  to  the  overall  probability  of  fuel  damage.  Utilization  of  this  formula  yields  a 
contribution  value  of  1.335e-5  or  16.7%  of  the  total  probability  of  fuel  damage.  A 
reduction  in  the  out  of  service  time  for  the  EDGs  results  in  a  overall  fuel  damage 
probability  reduction  and  a  corresponding  decrease  of  the  EDG  contribution  to  the  overall 

fuel  damage  probability. 


6.4.2  MP-1  Risk  Profile  Improvement 

We  can  credit  the  1 1 8  hour  EDG  inspection  time  reduction  at  any  point  in  the 
scheduled  outage.  Outage  planning  experts  would  most  likely  take  several  factors  into 
account,  DID  for  example,  when  scheduling  the  shorter  inspections.  Regardless  of  the 
scheduling  strategy  selected,  the  overall  probability  of  fuel  damage  reduces  by  the  same 
amount  (assuming  that  the  equipment  outages  are  independent).  The  improved  nsk 
profile  displayed  in  Figure  6.6  applies  the  118  hour  time  credit  to  the  end  of  the  originally 

scheduled  diesel  outage. 

The  new  probability  of  fuel  damage,  utilizing  the  reduced  inspection 
requirements,  integrated  over  the  49  day  refueling  outage  is  7.492e-5  which  reflects  a  risk 
improvement  of  6.27%.  The  EDG  outage  contribution  to  the  probability  of  fuel  damage 
is  9.497e-6  or  12.7%.  This  reflects  a  reduction  of  five  percentage  points.  These 
probability  improvements  indicate  that  the  shortened  EDG  inspection  not  only  decreases 
the  overall  probability  of  fuel  damage  but  also  decreases  the  importance  of  the  EDG 
outage  as  a  contributor  to  the  overall  plant  risk. 
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Improved  MP-1  Risk  Profile 


Figure  6.6  MP-1  Risk  Profile  Showing  the  Effects  of  Reduced  Inspection  Requirements 

These  same  types  of  improvements  would  be  experienced  by  MP-3  if  it  were  to 
adopt  the  IROI.  Although  the  exact  values  of  probability  reductions  would  differ,  it  is 
apparent  from  the  risk  profile  demonstration  that  any  decrease  in  EDG  outage  time  will 
result  in  risk  reductions.  In  the  case  of  MP-3,  it  is  likely  they  will  experience  larger 
probability  reductions  as  the  proposed  118  hour  time  savings  represent  a  larger  portion  of 
the  total  EDG  outage  time  at  MP-3. 

6.4.3  A  Shortened  Refueling  Outage 

Both  the  DID  and  fuel  damage  probability  analyses  do  not  address  the  risk  effects 
of  shortening  the  overall  length  of  the  refueling  outage.  In  actuality,  a  shortened 
refueling  outage  is  a  natural  consequence  of  a  shortened  EDG  inspection.  In  this  section, 
we  calculate  the  potential  risk  reductions  associated  with  the  shortened  refiieling  outage. 

The  IROI  of  the  EDG  can  be  used  by  the  refueling  outage  schedulers  to  shorten 
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the  electrical  power  supply  system  maintenance  and  testing  period.  If  the  electrical 
power  supply  system  outage  is  part  of  the  plant  critical  path,  this  time  savings  can 
translate  into  an  overall  shorter  refueling  outage.  In  the  past,  MP-3’s  electrical  power 
supply  system  has  not  been  part  of  the  critical  path  because  of  problems  with  the  plant’s 
service  water  system.  MP-3  is  currently  taking  steps  to  repair  the  service  water  system,  at 
which  time  the  electrical  power  system  will  become  part  of  the  cntical  path  [21, 41]. 

Figure  6.7  shows  a  revised  electrical  power  supply  system  schedule  that  maintains 
the  current  DID  levels  utilized  by  MP-3  while  simultaneously  reducing  the  scheduled 
outage  time.  This  analysis  allowed  us  to  trim  the  original  schedule  of  61 1  hours  by  82 
hours  to  a  total  outage  time  of  529  hours.  This  type  of  schedule  could  potentially  save 
MP-3  more  than  three  days  of  its  current  refueling  outage.  These  time  savings  are 
significant  and  can  translate  into  large  monetary  savings  for  MP-3 . 

A  shortened  refueling  outage  can  also  translate  into  benefits  for  the  MP-1 
refueling  outage  probability  of  fuel  damage.  The  shorter  outage  time  period  would 
reduce  the  number  of  days  needed  by  MP-1  to  complete  the  outage  therefore  reducing  the 
total  fuel  damage  risk  (the  area  underneath  the  risk  profile  curve).  Again,  similar 
conclusions  can  be  drawn  for  expected  changes  in  the  refueling  outage  probability  of  fuel 
damage  at  MP-3. 

6.4.4  Refueling  Outage  Risk  Improvement  Summary 

In  practice,  a  group  of  refueling  outage  planning  experts  would  attempt  to 
maximize  the  benefits  of  all  three  types  of  refueling  outage  risk  improvements  associated 
with  the  IROI.  DID,  safety,  and  plant  economics  would  all  influence  the  final  form  of  the 
new  refueling  outage  schedule.  Regardless  of  the  final  form  of  this  schedule,  the  IROI 
allows  MP-3  to  improve  its  overall  refueling  outage  risk  measurably. 
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Figure  6.7  Revised  Electrical  Power  Supply  Refueling  Outage  Schedule,  Based  Upon  a 

Shortened  EDO  Inspection 


6.5  Effects  of  IROI  on  EDG  Failure  Probability 

In  order  to  estimate  the  effects  of  the  IROI  upon  the  EDG  failure  rate,  we  must 
translate  the  alteration  of  the  required  inspections  into  a  change  in  the  failure  rates  of  the 


basic  events  associated  with  the  EDO  system.  Basie  even«  refer  to  individual  farlnres 
*at  could  lead  to  the  failure  of  the  entire  system  (The  entire  list  of  MP-3  basic  events  that 
contribute  to  the  EDO  system  failure  probability  as  weU  as  the  associated  system  fault 
tree  can  be  found  in  Appendix  C  [45, 46]).  Once  we  identify  the  basic  events,  we  can 
perform  a  sensitivity  analysis  in  order  to  evaluate  the  effect  of  the  basic  event  changes  on 

the  EDG  failure  rate. 

The  proposed  IROI  reduces  the  probability  of  failure  for  four  types  of  basic  events 
at  MP-3.  Table  6.3  lists  the  four  basic  events  affected  by  the  proposed  IROI  for  the  A 
EDO  as  well  as  their  associated  respective  probability  values.  In  order  to  calculate  the 
reduction  of  the  EDG  system  failure  probability  value,  we  recalculate  the  fault  tree  top 
event  probability  value  using  new  values  for  the  four  basic  events  listed  in  Table  6.4.  The 
new  values  for  the  four  basic  events  reflect  probability  reductions  of  25%,  50%,  75%  and 

100%,  respectively. 


Basic 

Event 

Number 

Description 

Event 

Probability 

38 

EDG  A  unavailable  due  to  test  or 
maintenance. 

l.le-2 

39 

EDG  A  fails  to  start  on  demand  (includes 
failure  to  rvm). 

1.64e-2 

68 

Common  cause  failure  of  air  operated  stait 
valves. 

1.36e-4 

69 

Common  cause  failure  of  EDGs  to  start  on 
demand  (includes  failure  to  run). 

1.12e-3 

Table  6.4  Basic  Events  Affected  by  Proposed  IROI  and 
Their  Respective  Probability  Values 


Figure  6.8  displays  the  results  of  the  sensitivity  analysis  plotting  the  value  of  the 
probability  of  the  top  event,  failure  of  the  EDG  system.  The  five  calculated  values  of  the 
top  event  appear  as  points  on  the  plot  with  a  least-squares  best  fit  line  revealing  a  linear 
relationship.  For  example,  an  anticipated  basic  event  reduction  of  50%  would  decrease 
the  EDG  system  failure  probability  13.9%,  from  0.0952  to  0.082. 
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Figure  6.8  Effect  of  Basic  Event  Reduction  on  Diesel  Failure  Probability 

A  similar  analysis  of  the  introduction  of  a  comprehensive  diesel  monitoring 
system  at  MP-3  revealed  that  the  EDG  system  failure  probability  can  be  driven  lower 
than  the  values  shown  for  the  IROI  calculation.  The  proposed  monitoring  program 
included  reduction  of  the  probabilities  of  21  basic  events  including  three  of  the  four 
events  listed  in  Table  6.3.  In  addition  to  the  EDG  fault  tree  basic  events,  the  proposed 
monitoring  system  reduced  the  probabilities  of  basic  events  associated  with  the  plant 
service  water  pumps  and  the  EDG  building  ventilation  dampers.  The  risk  sensitivity 
analysis  of  this  system  revealed  that  a  50%  reduction  in  basic  event  probabilities  reduced 
the  EDG  system  failure  probability  by  38.6%.  Using  this  new  failure  rate  information,  a 
completely  new  testing  regiment  was  proposed  by  Dulik.  An  hour  long  monthly  run  of 
the  diesels  was  modified  to  a  yearly  24  hour  run  of  the  diesel.  The  increased  duration  of 
the  test  was  justified  because  of  its  success  in  identifying  nearly  100%  of  all  of  the  EDG 
failure  modes  (in  contrast  to  the  34.5%  of  modes  identified  in  an  hourly  run).  The 
decreased  frequency  of  the  testing  to  once  per  year  was  established  through  optimization 
of  the  new  failure  rate  and  EDG  vmavailability  due  to  testing.  A  complete  analysis  of  the 
proposed  monitoring  system  and  its  associated  reliability  improvements  and  modified 
testing  regiment  can  be  located  in  Dulik’s  report  [3]. 


74 


6.5.1  Failure  Rate  Summary 

The  reduction  in  the  probabilities  of  the  basic  events  associated  with  the  improved 
ROI  are  unknown  quantities.  However,  the  reduction  of  the  failure  probability  is  highly 
likely  as  the  proposed  inspection  alterations  are  based  upon  sound  engineering  practices 
and  the  extensive  historical  performance  of  the  MP-3  diesels.  The  sensitivity  analysis 
presented  here  quantifies  the  possible  reliability  improvements  that  the  MP-3  EDGs  may 
realize  with  the  implementation  of  the  IROI.  It  is  important  to  note  that  any  reliability 
improvement  experienced  by  the  EDG  system  will  also  reduce  the  core  damage 
frequency  (CDF)  of  the  plant. 

6.6  Risk  Improvement  Summary 

In  order  to  fully  appreciate  the  benefits  of  the  EDG  IROI,  analysis  must  go 
beyond  the  qualitative.  Risk  analysis  provides  a  method  for  quantitative  assessment  of 
the  proposed  changes.  The  time  savings  of  the  IROI  result  in  improved  DID  at  MP-3  as 
well  as  the  potential  for  a  shortened  critical  path.  The  refueling  outage  risk  profile  of 
MP-3  would  also  likely  benefit  from  the  IROI  as  reflected  in  a  reduced  fuel  damage 
probability.  Expert  analysis  would  integrate  all  three  of  these  refueling  outage 
improvements  into  a  schedule  that  maximizes  the  benefits  of  the  IROI. 

Although  we  cannot  accurately  calculate  the  reliability  effects  of  the  IROI  without 
the  actual  implementation  of  the  shortened  inspection,  a  sensitivity  analysis  of  the 
potential  improvements  provides  a  clear  picture  of  the  possible  reliability  improvements. 
Increased  monitoring  also  contributes  positively  to  the  risk  outlook  of  the  MP-3  EDG 
system  reliability. 
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Chapter  7  —  On-Line  EDG  Inspection  Benefits 


7.1  Introduction 

Recent  investigation  of  refueling  outages  by  industry  experts  has  revealed  that  the 
probability  of  a  loss  of  offsite  power  and  therefore  the  demand  for  backup  power 
provided  by  the  EDGs  may  actually  be  higher  during  the  refueling  outage  than  when  the 
plant  is  at  power  [15].  This  development  is  likely  due  to  an  increase  m  the  probabilities 
of  human  errors  associated  with  odd  and  infrequently  used  plant  configurations  and  the 
associated  un-familiarity  of  workers  with  them.  This  situation  supports  the  possible 
transfer  of  all  EDG  inspections,  surveillances,  and  maintenance  items  that  currently 
remove  the  diesels  from  service  during  the  refueling  outage  to  a  new  practice  of 
execution  when  the  plant  is  operating  at  power.  Maintenance  and  testing  items  performed 
while  the  plant  is  operating  at  power  are  known  as  on-line  surveillances. 

Several  plants  in  the  US  have  applied  to  the  NRC  to  alter  their  respective  TS  m 

order  to  accommodate  the  18  month  EDG  inspection  while  operating  at  power.  Inmost 

cases,  this  requires  an  extension  of  the  individual  plant’s  allowed  outage  time  (AOT). 

We  found  that  for  the  EDG  inspection  transfer,  the  increase  in  risk  associated  with  a 
larger  AOT  is  considered  non-significant  according  to  NRC  criterion  established  for  TS 
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alteration  [47].  We  also  found  tira.  tire  elimination  of  tire  EDO  ROI  signitieantly  reduces 
tire  fuel  damage  probability  for  tite  duration  of  the  refaeling  outage. 

7  2  Pilgrim  Nnclear  Power  Station  Proposed  TS  Changes 

The  Pilgrim  Nuclear  Power  Station  (PNPS)  is  cunently  applymg  to  the  NRC  or 

extensionoftheirEDGAOTfromtin«.ol4days.ThiseKtensionisintend^to 

increase  the  repair  and  preventive  maintenance  time  and  to  reduce  potentia  or  p  an 
shutdown  transients  during  EDO  repair  and  maintenance.  Additionally,  the  ay 

willallowfortheperformanceofon-lineEDOmaintenance.  In  order  to  balance  e 

availability  of  plant  systems  associated  with  electric  power  activities.  PNPS  is 
simultaneously  applying  for  an  ACT  reduction  for  tiie  smrt-up  transformer.  In  other 
words.  PNPS  is  requiring  that  their  own  start-up  transformer  be  more  available  m  order 

compensate  for  the  increased  unavailability  of  the  EDO  [4, 47],  - 

The  baseline  CDF  value  at  PNPS  is  2.84e-5/year,  resulting  in  a  core  damage 
probability  (CDP)  of  1.09e-6  over  a  14  day  period.  The  CDF  value  with  one  EDG 
unavailable  and  one  EDG  subject  to  random  fatiures  increases  by  a  fiictor  of  1 .79  to 
5  OSe-S/year.  The  corr^ponding  CDP  over  14  days  is  1 .95e.6.  rqiresenting  a  temporary 
increase  of  8.6e-7  (or  78.9%)  over  the  baseline  CDP  value.  This  increase  is  considered 
non-risk-significant  in  terms  of  the  criteria  of  both  EPRI  and  the  NRC  [4].  EPRI  s  ns  - 
significant  standard  is  1  .Oe-6  for  CDP  while  the  NRC  standards  requires  a  CDF  mcrease 

less  than  l.Oe-5.  The  CDF  increase  anticipated  by  PNPS  is  1.72e-6.  At  this  time,  the 

PNPS  staff  expresses  confidence  that  their  proposal  will  be  approved  by  the  NRC  [47]. 


7.3  On-line  Transfer  of  Surveillances  at  MP-3 

The  transfer  of  all  MP-3  refueling  outage  EDG  surveillances  on-line  would  first 
require  a  basic  change  in  the  TS  of  the  plant.  Currently,  tire  1 8  month  insp^tion  must  be 
performed  during  the  refueling  outage  per  the  wording  of  TS  4.8.1.1.2.g.l  [17].  If  the  T 
were  changed,  however,  the  MP-3  diesel  engineer  has  expressed  confidence  that  all 
inspection  and  maintenance  items  currently  performed  during  the  ROI  could  be  i 

performed  on-line  with  little  or  no  difficulty.  The  MP-2  diesel  engineer  supported  tins 
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opinion,  but  wi*  bte  caution  that  an  associated  inotcase  in  MP-B’s  three  day  AOT  n,^ 
occur  in  order  to  compensate  for  the  additionai  surveiliances  dtat  would  he  performed  on¬ 
line  [211.  Additionally,  he  recommended  that  this  increase  tn  the  AOT  would  be 

beneficial  in  the  event  that  a  major  repair  must  take  place  [23]. 

calculation  of  the  associated  risk  implications  for  the  hansfer  of  dte  ROl  .terns 

and  associated  EDO  testing  practices  on-lme  for  both  the  current  ROI  and  the  IROI  ts 

possible  We  present  risk  calculations  in  this  segment  that  only  address  the  ns 

intplications  of  tiansfer  of  the  IROI,  Transfer  of  tite  ROI  would  yield  sinnlar  nsk  re^  ts 
hut  the  diesel  would  no.  realize  tite  reliability  benefits  of  the  al^red  inspeetton. 


7.3.1  Refueling  Outage  Risk  Improvements 

The  transfer  of  tite  IROI  items  and  associated  testing  requirements  wtll  not  affect 
the  calculated  IROI  DID  level  improvements  during  the  refueling  outage.  The  current 
DID  levels  are  constrained  by  the  outage  of  key  buses  that  will  remain  unaffected  by  tite 
transfer  of  EDO  surveillances  on-line.  This  is  also  true  for  the  critical  pad.  time 

improvements.  The  improvement  computed  in  Section  6.4.3  represent  tite  maxnnum 

refueling  outage  time  savings  available  wititthe  consttaint  of  maintenance  of  current  DID 
levels. 

The  main  refueling  outege  risk  reduction  of  on-line  surveillance  transfer  can  be 
seen  in  the  refueling  outage  risk  profile  and  associated  fuel  damage  probability.  In  order 
,0  demonsnate  titis  benefit,  we  again  utilize  tite  MP-1  Risk  Profile  in  the  absence  of  a 
similar  MP-3  document  Figure  7.1  details  the  risk  profile  alteration  anticipated  as  a 
result  of  the  transfer  ofEDG  surveillances  on-line.  The  totel  fuel  damage  probability 
over  the  49  day  outage  is  6.27e-5  compared  to  the  original  fuel  damage  probability  of. 

7.993e-5.  Thischangeteflectsa21.6%imptovementoverthebasecase.  Thisnsk 

profile  analysis  does  not  account  for  risk  changes  associated  with  a  shortened  refitelmg 
outage.  However,  a  shortened  refueling  outege  results  in  additional  risk  benefits. 
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MP-1  Risk  Profile  W/O  EDG  Surveillances 


Figure  7.1  MP-1  Refiieling  Outage  Risk  Profile  in  the  Absence  of  EDG  Surveillances 

7.3.2  Risk  Implications  of  Performing  Inspections  While  Operating  At  Power 
The  outage  of  one  EDG  at  MP-3  increases  the  CDF  a  factor  of  1.47  over  the 
baseline  CDF  value  of  6e-5/yt  [40].  This  factor  considers  the  case  where  one  EDG  is  out 
of  service  while  the  remaining  diesel  is  available  but  subject  to  random  failures.  In  order 
to  analyze  the  affects  of  transferring  EDG  surveillances  on-line,  we  must  choose  a  value 
of  AOT  increase  to  use  in  our  analysis.  Currently,  the  MP-3  ACT  value  Is  three  days  but 
the  transfer  of  the  IROI  will  require  at  least  an  extra  three  days  of  AOT.  One  extra  day  is 
also  added  for  con^rvatism  and  to  conform  to  the  MP-2  diesel  engineer’s  suggestion.. 
No  attempt  to  compensate  for  power  system  availability  is  made  here  (as  in  the  Pilgnm 
application).  The  corresponding  risk  sensitivities  are  summarized  as  follows: 


•  Baseline  CDF 

•  Baseline  CDP  integrated  over  7  days 

•  CDF  with  one  EDG  unavailable 

•  CDP  with  one  EDG  unavailable  integrated 
over  7  days 


=  6e-5/yr 

=  6e-5*7/365  =  1.15e-6 
=  8.8e-5/yr 


=  8.8e-5*7/365  =  1.69e-6 
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Thus,  having  one  EDG  unavailable  for  7  days  causes  a  temporary  increase  of 
5.4e-7  over  the  baseline  CDP  value.  We  calculate  the  permanent  change  in  the  annual 
mean  CDF  as  a  result  of  the  increased  AOT  as  follows: 


CDP  with  one  EDG  unavailable  7  days 

New  annual  mean  CDF  =  2*1.69e-6+(6e-5*351/365)  -  6  1  le-5/yr. 

(The  2*  factor  is  due  to  the  7  day  AOT  for  EACH  diesel) 

The  resulting  increase  in  the  CDF  value  is  l.le-6/yr.  a  figure  well  below  the  NRC 


criterion  of  l.Oe-5/yr  [2]. 

Table  7.1  contains  the  projected  risk  comparison  of  a  7  day  AOT  at  MP-3  to  that 
of  a  14  day  AOT.  Although  a  14  day  AOT  would  meet  the  NRC  criteria,  it  fails  to  meet 
the  EPRI  criteria  of  CDP  increase  less  than  l.Oe-6  [4].  This  catena  failure,  however,  is 
quite  small  and  would  most  likely  be  waived  in  practice  on  the  basis  that  the  error  of  the 
CDF  estimate  is  less  than  the  CDF  difference  observed  here. 


7  Day  AOT 

14  Day  AOT 

Baseline  CDP 

1.15e-6 

2.3e-6 

CDP  w/  One  EDG  OOS 

1.69e-6 

3.38e-6 

CDP  Increase 

5.4e-7 

1.08e-6 

New  CDF 

6.11e-5/yr 

6.22e-5/yr 

CDF  Increase 

l.le-6/yr 

2.2e-6/yr 

Table  7. 1  Comparison  of  the  Risk  Implications  of  7  and  1 4  Day  AOTs 


7.3.3  Additional  Considerations 

Before  accepting  on-line  EDG  surveillance  at  MP-3,  we  must  account  for 
additional  considerations  of  risk.  Initially,  workers  will  be  inexperienced  with  performing 
surveillances  on-line.  The  power  plant  managers  must  anticipate  and  reduce  human  error 
wherever  possible.  Additionally,  the  performance  of  increased  on-line  testing  may 
introduce  transients  that  have  never  occurred  before  in  the  plant.  The  power  plant 
managers  must  also  anticipate  and  plan  for  these  events.  One  final  consideration  is  the 
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detailed  planning  that  must  take  place  in  order  to  anticipate  equipment  outage 
combinations  that  would  degrade  safe  operation  of  the  plant.  Increased  EDG  outages 
while  operating  at  power  will  necessarily  complicate  the  work  of  maintenance  planners 

[15,21,23,40]. 

7.4  Summary 

Use  of  on-line  testing  and  maintenance  in  nuclear  power  plants  has  increased 
greatly  in  recent  years.  Transfer  of  the  IROI  activities  to  on-line  performance  results  in 
large  risk  reductions  during  the  refueling  outage  and  negligible  risk  increases  while 
operating  at  power.  However,  human  errors  associated  with  the  on-line  transfer  and  other 
unknown  risk  factors  must  be  studied  further  before  this  program  is  implemented  fully  at 
a  power  plant  such  as  MP-3. 
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Chapter  8  --  Economic  and  Safety  Benefits  of  the  IROI 


8.1  Introduction 

Significant  potential  economic  and  safety  benefits  result  as  a  consequence  of 
implementation  of  the  IROI.  The  most  fimdamental  of  these  benefits  will  result  from 
avoided  repair  and  equipment  replacement  costs  arising  fi'om  the  reduction  of  intrusive 
practices.  The  largest  economic  benefit,  however,  will  arise  as  a  result  of  redueing  the 
critical  path  of  the  refueling  outage.  These  substantial  savings  can  in  turn  be  a  source  of 
funding  for  an  advanced  monitoring  program  or  enhanced  safety  training  of  persoimel. 

8.2  Direct  Economic  and  Safety  Benefits 

The  reduction  of  the  number  of  inspection  items  associated  with  the  ROI  will 
provide  MP-3  with  immediate  economic  and  safety  benefits.  Reduced  maintenance, 
such  as  the  increased  periodicity  of  changing  the  turbocharger  oil,  will  result  in  fewer 
basic  parts  being  needed.  The  diesel  operator  will  need  items  such  as  filters  and  fresh  oil 
at  a  reduced  frequency.  Additionally,  the  diesel  engineer  can  eliminate  use  of 
unnecessary  test  equipment,  such  as  the  fuel  injector  static  test  mechanism,  from  the  MP- 
3  engineering  inventory  [21]. 
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The  more  profound  and  important  benefit  realized  directly  by  MP-3  will  occur 
from  the  avoided  safety  risk  associated  with  errors  caused  by  humans.  The  less  intrusive 
IROI  will  preserve  the  condition  of  the  EDG  eliminating  unnecessary  action  by  humans. 
Although  failures  of  the  EDG  will  still  be  possible,  the  frequency  of  human-induced 
failures  is  likely  to  decrease.  These  avoided  failures  will  also  likely  reduce  the  amounts 
of  money  and  time  needed  to  repair  the  diesel  following  a  such  a  failure  [15, 21]. 

A  good  example  of  such  failures  took  place  during  MP-3’s  last  refueling  outage. 
The  TS  require  a  disassembly  inspection  of  two  of  the  exhaust  valve  assemblies  (one  on 
each  diesel)  every  36  months.  A  worker  damaged  one  of  these  exhaust  valves  so  badly 
during  disassembly  that  it  had  to  be  replaced  by  the  inspection  team.  The  other  exhaust 
valve  was  also  replaced  by  the  inspection  team  because  of  pitting  on  the  valve  seating 
face.  Although  this  particular  valve  failed  its  inspection  due  to  the  pitting,  all  of  the 
personnel  involved  with  the  inspection  stated  that  the  valve  was  still  fully  operational 
(additionally,  the  engine  analyzer  had  not  indicated  a  problem  with  the  valve)  ~  MP-3 
replaced  the  equipment  because  of  a  technicality  [21].  MP-3  replaced  two  functioning 
valves  at  a  large  economic  and  safety  cost.  Although  this  specific  inspection  is  not 
included  in  the  current  ROI,  it  is  an  example  of  the  type  of  inspections  eliminated  under 
the  IROI. 

These  types  of  direct  benefits  are  difficult  to  quantify  as  they  depend  upon  past 
documentation.  Workers  at  MP-3  made  no  attempt  to  record  the  rationale  for  each 
specific  equipment  replacement  at  MP-3.  Instead  EDG  workers  related  this  information 
on  an  anecdotal  basis,  such  as  the  example  of  the  exhaust  valve  assemblies.  The 
inspection  participants,  however,  feel  that  the  direct  savings  realized  as  a  result  of  the 
IROI  will  be  substantial. 

8.3  Shortened  Refueling  Outage  Benefits 

Chapter  6  details  the  risk  benefits  of  a  shorter  refueling  outage  revealing  the 
benefits  as  being  substantial.  The  economic  benefits  of  a  shortened  refueling  outage  are 
fortunately  just  as  substantial.  While  a  plant  is  in  a  refueling  outage  they  must  buy  power 
from  other  sources  to  provide  to  their  customers.  In  May  of  1995,  the  replacement  cost 
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per  day  was  anywhere  from  $215,000  to  $344,000  (1995  dollars).  This  translates  to  a 
maximum  approximates  savings  of  $1 .18  million  ($344,000/day  3.42  days)  over  the 
entire  refueling  outage  if  current  DID  levels  are  maintained  by  MP-3  [40]. 

Additionally,  the  shortened  refueling  outage  will  also  reduce  the  labor  costs 
associated  with  the  current  ROI.  For  the  1995  ROI,  the  total  cost  of  internal  and  external 
labor  was  approximately  $165,000  [48].  The  vast  majority  of  this  was  paid  to  Colt- 
Pielstick  for  vendor-related  support.  Assuming  a  level  price  per  hour  for  all  labor  costs  of 
$487  results  in  an  additional  $40,000  savings  in  avoided  cost. 

8.4  Utilization  of  Economic  Benefits 

Improved  DID,  decreased  fuel  melt  probability  and  reduced  EDO  failure 
probability  are  all  safety  benefits  of  the  IROI.  In  addition  to  these  important  safety 
benefits,  MP-3  can  use  the  economic  benefits  of  the  IROI  to  fund  additional  EDG 
monitoring  equipment  and  training  programs  that  benefit  the  safety  of  the  plant. 

For  example,  one  particular  concern  of  the  experts  at  INEEL  is  human  errors 
introduced  during  the  realignment  of  the  EDG  following  the  ROI  [15].  In  many  plants,  a 
single  operator  will  use  a  checklist  to  ensure  that  the  EDG  is  ready  for  operation  and 
testing.  The  INEEL  experts  have  stated  that  a  system  of  double  checks,  in  which  two 
workers  are  responsible  for  performing  identical  checks,  will  remedy  the  realignment 
errors.  Funding  for  this  additional  labor  can  come  from  the  avoided  labor  costs 
associated  with  the  IROI.  The  two  inspectors  can  perform  this  initial  check  and 
subsequent  double  check  almost  simultaneously,  therefore  avoiding  an  extension  of  the 
refueling  outage. 

The  avoided  costs  of  the  IROI  can  also  pay  for  additional  sensing  and  monitoring 
of  the  EDG.  Dulik’s  work  outlines  the  economics  of  such  a  plan  in  detail.  The  result  of 
his  analysis  concludes  that  a  plant  can  pay  for  such  a  device  with  the  avoided  cost  of  just 
one  refueling  outage  [3]. 

The  substantial  savings  can  also  fund  improvements  in  the  work  place  for  the 
EDG  workers.  An  improved  work  space  and  lounge  can  have  positive  effects  on  the 
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quality  of  work  produced  by  laborers.  The  economic  benefits  of  the  IROI  can  also  fund 
non-EDG  related  safety  programs  such  as  CPR  or  fire  safety  training. 

8.5  Conclusion 

The  economic  savings  associated  with  the  IROI  are  remarkable.  The  avoided 
costs  of  labor  and  equipment  are  substantial  but  are  minute  when  compared  to  the 
millions  saved  through  a  shortened  refueling  outage.  A  plant  realizes  safety  benefits 
through  reduced  risk  at  power  and  while  the  plant  is  refueling.  A  plant  can  experience 
additional  safety  benefits  through  the  funding  of  various  projects. 
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Chapter  9  —  Conclusions  and  Recommendations 

The  refueling  outage  inspection  currently  utilized  at  MP-3  has  serious 
administrative  and  basic  engineering  shortcomings.  Analysis  of  the  ROI  utilizing  risk- 
informed  performance-based  methodology  reveals  that  MP-3  can  realize  substantial 
benefits  through  implementation  of  an  improved  refueling  outage  inspection. 

Chapter  4  presents  a  plan  for  the  IROI  based  upon  the  opinions  of  the  MP-3  and 
MP-2  diesel  engineers.  Both  of  these  men  have  extensive  experience  with  EDGs  and  the 
MP-3  diesel  engineer  has  worked  with  the  MP-3  diesels  since  they  were  put  into 
operation.  Their  recommendations  are  based  upon  their  inspection  experience  and  their 
detailed  knowledge  of  the  performance  of  their  respective  diesels. 

Chapter  5  assembles  the  experience  of  non-nuclear  industry  EDG  applications. 
We  compare  and  contrast  inspections,  operating  experience,  and  expert  opinion 
associated  with  EDGs  in  hospitals,  the  FAA  and  the  US  Navy.  We  use  this  comparison 
to  further  substantiate  the  recommendations  made  by  the  Millstone  engineers. 

We  present  the  numerous  risk  benefits  associated  with  the  IROI  in  Chapter  6. 
Analysis  of  defense  in  depth,  refueling  outage  fuel  melt  probability,  and  EDG  failure 
probability  all  show  that  implementation  of  the  IROI  will  result  in  a  net  risk 
improvement. 
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Chapter  7  details  the  risk  and  time  savings  assoeiated  with  the  on-line  transfer  of 
the  IROI.  This  transfer  requires  an  inerease  in  the  EDO  allowed  outage  time  from  its 
current  three  day  limit.  An  analysis  of  an  AOT  increase  to  7  and  14  days  reveals  that  the 
associated  risk  increase  is  insubstantial  according  to  NRC  and  EPRI  limits.  MP-3 
implementation  of  such  a  plan,  however,  is  limited  by  operational  uncertamties. 

Finally,  Chapter  8  presents  the  many  economic  and  safety  benefits  associated  with 
the  IROI.  The  substantial  economic  benefits  realized  by  MP-3  can  be  used  to  implement 

further  safety  programs  within  the  plant. 

We  conclude  that  the  refueling  outage  inspection  of  the  diesel  should  be 
developed  and  implemented  by  personnel  familiar  with  the  operating  characteristics  and 
history  of  the  individual  diesels.  The  vendor  recommendations  for  EDG  inspection  and 
maintenance  should  be  used  solely  as  a  recommendation,  not  as  a  rigid  set  of  rules.  We 
also  judge  that  vendor  representatives  should  be  used  as  consultants,  not  inspectors,  as 
their  role  of  inspector  is  compromised  by  an  obvious  conflict  of  interest. 

The  NRC  will  likely  require  implementation  of  the  IROI  on  a  trial  basis  if  it  is  to 
proceed.  MP-3  can  accomplish  this  through  application  of  the  IROI  on  one  EDG  only. 
Transfer  to  on-line  performance  of  the  inspection  would  be  the  next  proposed  step  taken 
by  MP-3  following  the  proven  success  of  the  IROI. 

We  used  methods  and  arguments  in  this  work  that  demonstrate  EDG  regulation 
can  be  logically  altered  based  on  the  performance  history  of  the  diesel  and  the  associated 
risk  consequences.  These  methods  easily  transfer  to  other  questionable  regulation  within 
the  nuclear  industry  structure. 
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Chapter  10  --  Future  Work 


10.1  Introduction 

The  project  on  Integrated  Models,  Data  Bases  and  Practices  Needed  for 
Performance-Based  Safety  Regulation,  of  which  this  EDG  ROI  study  is  a  part,  concludes 
in  January  of  1998.  Although  the  study  provides  a  clear  framework  for  the  application  of 
performance-based  safety  regulation,  specific  EDG  ROI  questions  left  unanswered  in  this 
work  may  also  arise  in  future  application  of  ftie  methodology. 

10.2  Inspection  Administration 

Although  the  current  administration  of  the  ROI  is  questionably  set  up  by  the  TS, 
total  elimination  of  inspection  oversight  may  not  be  appropriate.  Implementation  of  a .. 
diesel  inspection  program  similar  to  that  of  the  US  Navy  should  be  explored.  Such  a 
program  would  provide  a  much  needed  third  party  inspector  whose  primary  goal  would 
be  diesel  reliability  and  safety. 
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10.3  Balancing  Risk  Benefit 

The  numerous  risk  benefits  realized  through  implementation  of  the  IROI  should 
be  integrated  in  such  a  way  that  they  provide  maximum  safety  and  reliability 
improvement.  A  detailed  study  of  the  integration  of  DID,  fuel  damage  probability,  and 
diesel  reliability  will  provide  a  framework  for  future  regulation  alteration  analysis. 


10.4  On-line  Transfer  of  IROI 

The  performance  of  the  IROI  while  the  plant  is  operating  at  full  power  promises 
substantial  risk,  economic,  and  safety  benefits  with  a  negligible  increase  in  CDF.  Further 
work  must  be  performed,  however,  to  determine  the  likelihood  of  increased  human  errors 
caused  by  the  on-line  transfer.  Additionally,  compensation  within  the  power  system 
should  be  explored  to  adjust  for  the  anticipated  increase  in  the  AOT  of  the  EDO. 
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Appendix  A  -  Millstone  Unit  3  Technical  Specifications 


The  following  material  is  an  excerpt  from  the  NRC-approved  Technical 
Specifications  for  Unit  3  of  the  Millstone  Nuclear  Power  Station  [18].  This  specific 
selection  outlines  surveillance  requirements  for  the  electrical  power  systems  utilized  at 
MP-3.  Technical  Specification  (TS)  4.8.1.1.2.g.l,  located  in  this  appendix,  is  repeatedly 
refered  to  throughout  this  work  as  it  forms  the  basis  for  the  Emergency  Diesel  Generator 
refueling  outage  inspection. 
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FT.KCTRTCAT.  POWER  SYSTEMS 


4.8. 1.1.1  Each  of  the  above  required  independent  circuits  between  the  offsite 

transmission  network  and  the  Onsite  Class  IE  Distribution  System  shall  be: 


a.  Determined  OPERABLE  at  least  once  per  7  days  by  verifying  correct 
breaker  alignments,  indicated  power  availability,  and 


b.  Demonstrated  OPERABLE  at  least  once  per  1 8  months  during  shutdown 
by  transferring  (manually  and  automatically)  unit  power  supply  from  the 
normal  circuit  to  the  alternate  circuit. 


4.8. 1 . 1 .2  Each  diesel  generator  shall  be  demonstrated  OPERABLE: 

a.  In  accordance  with  the  frequency  specified  in  Table  4.8-1  on  a 
STAGGERED  TEST  BASIS  by: 

1)  Verifying  the  fuel  level  in  the  day  tank, 

2)  Verifying  the  fuel  level  in  the  fuel  storage  tank, 

3)  Verifying  the  fuel  transfer  pump  starts  and  transfers  fuel  from  the 
storage  system  to  the  day  tank, 

4)  Verifying  the  lubricating  oil  inventory  in  storage, 

5)  Verifying  the  diesel  starts  from  standby  conditions  and  achieves 
generator  voltage  and  frequency  at  4160±420  volts  and  60±0.8  Hz. 
The  diesel  generator  shall  be  started  for  this  test  by  using  one  of 
the  following  signals: 

a)  Manual,  or 

b)  Simulated  loss-of-offsite  power  by  itself,  or 

c)  Simulated  loss-of-offsite  power  in  conjimction  with  an  ESF 
Acutation  test  signal,  or 

d)  An  ESF  Actuation  test  signal  by  itself. 


6)  Verifying  the  generator  is  synchronized  and  gradually  loaded  in 
accordance  with  the  manufacturer’s  recommendations  to  greater 
than  or  equal  to  4986  kW  and  operates  with  a  load  greater  than  or 
equal  to  4986  kW  for  at  least  60  minutes,  and 

7)  Verifying  the  diesel  generator  is  aligned  to  provide  standby  power 
to  the  associated  emergency  buses. 

b.  At  least  once  per  1 84  days,  verify  that  the  diesel  generator  starts  and 
attains  generator  voltage  and  frequency  of  4160  ±420  volts  and  60  +0.8  Hz 
within  1 1  seconds  after  the  start  signal.  The  generator  shall  be 
synchronized  to  the  associated  emergency  bus,  loaded  to  greater  than  or 
equal  to  4986  kW  in  accordance  with  the  manufacturer’s 
recommendations,  and  operate  with  a  load  greater  than  or  equal  to 

4986  kW  for  at  least  60  minutes.  The  diesel  generator  shall  be  started  for 
this  test  using  one  of  the  signals  in  Surveillance  Requirement  4.8.1.1.2.a.5. 
This  test,  if  it  is  performed  so  it  coincides  with  the  testing  required  by 
Surveillance  Requirement  4.8.1. 1.2.a.5,  may  also  serve  to  concurrently 
meet  those  requirements  as  well.  ' 

c.  At  least  once  per  3 1  days  and  after  each  operation  of  the  diesel  where  the 
period  of  operation  was  greater  than  or  equal  to  1  hour  by  checking  for  and 
removing  accumulated  water  from  the  day  tank; 

d.  At  least  once  per  3 1  days  by  checking  for  and  removing  accumulated 
water  from  the  fuel  oil  storage  tanks; 

e.  By  sampling  new  fuel  oil  in  accordance  with  ASTM-D4057  prior  to 
addition  to  storage  tanks  and: 

1)  ‘By  verifying  in  accordance  with  the  tests  specified  in  ASTM- 

D975-81  prior  to  addition  to  the  storage  tanks  that  the  sample  has; 

a)  An  API  Gravity  of  within  0.3  degrees  at  60°F,  or  a  specific 
gravity  of  within  0.0016  at  60/60°F,  when  compared  to  the 
supplier’s  certificate,  or  an  absolute  specific  gravity  at 
60/60°F  of  greater  than  or  equal  to  0.83  but  less  than  or 
equal  to  0.89,  or  an  API  gravity  of  greater  than  or  equal  to 
27  degrees  but  less  than  or  equal  to  39  degrees; 

b)  A  kinematic  viscostiy  at  40°C  of  greater  than  or  equal  to 
1.9  centistokes,  but  less  than  or  equal  to  4.1  centistokes 
(alternatively,  Saybolt  viscosity,  SUS  at  100°F  of  greater 
than  or  equal  to  32.6,  but  less  than  or  equl  to  40.1),  if 
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gravity  was  not  determined  by  comparison  with  the 
supplier’s  certification; 

c)  A  flash  point  equal  to  or  greater  than  125°F ;  and 

d)  Water  and  sediment  less  than  0.05  percent  by  volume  when 
tested  in  accordance  with  ASTM-D 1796-83. 

2)  By  verifying  within  30  days  of  obtaining  the  sample  that  the  other 
properties  specified  in  Table  1  of  ASTM-D975-81  except  that:  (1) 
the  cetane  index  shall  be  determined  in  accordance  -with  ASTM- 
D976  (this  test  is  an  appropriate  approximation  for  cetane  number 
as  stated  in  ASTM-D975-81  [Note  E]),  and  (2)  the  analysis  for 
sulfur  may  be  performed  in  accordance  with  ASTM-D 1552-79, 
ASTM-D2622-82  or  ASTM-D4294-83. 

f.  At  least  once  every  3 1  days  by  obtaining  a  sample  of  fuel  oil  in  accordance 
with  ASTM-D2276-78,  and  verifying  that  total  particulate  contamination 
is  less  than  10  mg/liter  when  checked  in  accordance  with  ASTM-D2276- 
78,  Method  A; 

g.  At  least  once  per  18  months,  during  shutdown,  by: 

1)  Subjecting  the  diesel  to  an  inspection  in  accordance  with 
procedvires  prepared  in  conjunction  with  its  manufacturer’s 
recommendations  for  this  class  of  standby  service; 

2)  Verifying  the  generator  capability  to  reject  a  load  of  greater  than  or 
equal  to  595  kW  while  maintaining  voltage  at  4160  ±  420  volts  and 
frequency  at  60  ±  3  Hz; 

3)  Verifying  the  generator  capability  to  reject  a  load  of  4986  kW 
without  tripping.  The  generator  voltage  shall  not  exceed  5000 
volts  dviring  and  4784  volts  folloAving  the  load  rejection; 

4)  Simulating  a  loss-of-offsite  power  by  itself,  and: 

a)  Verifying  deenergization  of  the  emergency  buses  and  load 
shedding  from  the  emergency  buses,  and 

b)  Verifying  the  diesel  starts  from  standby  conditions  on  the 
auto-start  signal,  energizes  the  emergency  buses  with 
permanently  connected  loads  within  1 1  seconds,  energizes 
the  auto-connected  shutdown  loads  through  the  load 
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sequencer  and  operates  for  greater  than  or  equal  to  5 
minutes  while  its  generator  is  loaded  with  the  shutdown 
loads.  After  energization,  the  steady-state  voltage  and 
frequency  of  the  emergency  buses  shall  be  maintained  at 
41 60  ±  420  volts  and  60  ±  0.8  Hz  during  the  test. 
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Appendix  B  --  Colt-Pielstick  PC2 V  Engine  Instructions 


The  following  material  consists  of  an  excerpt  from  the  Colt-Pielstick  Engine 
Instruction  manual  [17].  This  manual  contains  information  covering  the  description, 
operation  and  servicing  of  the  Colt-Pielstick  PC2V  diesel  engine,  the  type  of  engines 
utilized  at  Millstone  3.  The  specific  information  contained  in  this  appendix  consists  of 
the  supplemental  maintenance  instructions  tailored  for  PC2V  engines  used  for  standby 
service. 

The  Annual/Refuel  instructions  found  in  this  excerpt  make  up  the  18  month 
emergency  diesel  generator  refueling  outage  inspection  -  the  focus  of  the  work  in  this 
report. 
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rr)T  .T-PTF.T.STTr.K  -  PC2V  ENGINE  INSTRUCTIONS 


W.  SUPPLEMENT  MAINTENANCE  INSTRUCTIONS 
For  Model  PC2V  Standby  Units 

The  following  inspection  routine  is  supplemental  to  component  part  operation  and 
service  instructions  in  the  instruction  book  and  is  recommended  for  engine  and  standby 
nuclear  service.  The  unit  may  not  accumulate  significant  operating  hours  between 
refueling  and  maintenance  periods  but  the  service  and  importance  of  availability  justifies 
the  frequency  of  inspection. 

It  is  of  primary  importance  that  every  repair  and  malfunction  is  entered  onto  the 
engine  operating  log.  Operating  log  data  must  be  used  to  graph  critical  pressures  and 
temperatures  to  determine  trends  in  operating  performance.  It  is  of  equal  importance  that 
this  data  be  available  in  the  Maintenance  Department  for  ready  reference  and  analysis  by 
maintenance  and  visiting  service  personnel. 

Daily  Inspection 

1.  Lube  oil  level  in  turbochargers  air  side  and  exhaust  side,  oil  sumps,  outboard 
bearing,  governor,  air  distributor  and  air  compressor.  Presence  of  water  in  the  oil 
requires  determination  of  cause  and  immediate  correction.  Note  that  unlike 
automotive  engines,  oil  leveling  and  measuring  procedures  are  performed  with  the 
engine  operating  at  controlled  temperatures.  Cold  oil  will  expand  and  raise  oil 
levels.  Do  not  overfill  as  bearing  damage  can  occur. 

2.  Standby  heaters  and  pumps  are  operational;  minimum  lube  oil  temperature  120°F, 
water  temperature  105°F. 

3 .  Jacket  water  surge  tank  level.  Changes  in  the  level  of  the  surge  tank  or  presence 
of  oil  must  be  investigated  and  the  cause  corrected. 

4.  Control  power  is  available,  there  are  no  flags  on  the  switch  gear  controls  and  no 
annunciator  alarms.  The  engine  control  should  be  set  for  operation. 

Weekly  or  Biweekly  -  Operation  and  Checks 

1 .  All  preceding  instructions  plus  drain  air  start  tank  condensate. 

2.  Operate  rocker  prelube  pump  5  minutes  if  engine  is  not  operated  every  week. 

3 .  Check  injection  pump  racks  for  free  movement.  Clean  injection  pump  racks  with 
fuel  oil  as  required. 

4.  Check  the  DC  control  supply  and  service  batteries  as  required. 

5 .  Check  day  tank  fuel  level  and  inspect  tank  pit  for  fuel  leakage. 

6.  Unit  operation 

a.  During  run-in  of  replacement  parts  and  performance  checks  other  than 

emergency  starts,  it  is  desirable  to  start  the  engine  at  idle  speed,  increase 
the  speed  over  a  5  to  10  minute  period  to  5 14  rpm  and  apply  load  over  a 
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10  to  30  minute  period.  As  with  an  automobile,  moderate  treatment 
improves  longevity.  Actual  run-in  procedures  vary  depending  upon  part 
replacement  and  will  be  provided  by  our  service  representative. 

b.  Surveillance  Test  (Weekly  or  Biweekly) 

After  confirmation  that  the  unit  is  ready  for  start,  proceed  with  test 
start  in  less  than  10  seconds. 

-Run  the  unit  at  no  load  for  3  to  5  minutes,  until  fluid  pressures  and 
temperatures  are  stabilized. 

-Apply  20  to  30  percent  load  and  run  the  unit  for  3  to  5  minutes, 
imtil  pressures  and  temperatures  are  stabilized. 

-Apply  additional  load  to  bring  the  unit  to  50  to  60  percent  of 
continuous  rating.  Run  the  unit  for  3  to  50  minutes,  until  pressures  and 
temperatures  are  stabilized. 

-Apply  additional  load  to  bring  the  xmit  to  80  to  90  percent  of 
continuous  rating. 

c.  Operate  the  unit  1  to  2  hours.  Temperature  and  pressure  data  should  be 
recorded  after  startup  and  after  1  hour  operation.  The  second  line  of  data 
will  reflect  stabilized  temperatures  and  should  be  plotted  to  indicate 
possible  changes  in  performance.  If  the  unit  is  run  for  more  than  one  hour, 
a  line  of  data  should  be  recorded  every  hour. 

d.  Wipe  down  the  unit  and  clean  the  area  noting  any  oil,  fuel  or  water  minor 
leaks  in  need  of  repair.  Unusual  heat  on  bearing  housings  should  be 
investigated.  Site  glasses  for  flow  and  levels  should  be  rechecked. 

e.  Check  generator  field  slip  ring  brushes  for  arcing. 

f.  Record  lube  oil  usage. 

g.  Reduce  load  gradually,  at  same  rate  as  the  loading  reference  described  in 
paragraph  b  above.  Operate  unit  2  to  3  minutes  at  no  load  for  cool  down 
prior  to  engine  shutdown. 

h.  Analyze  operating  data  to  determine  if  maintenance  is  required  or  if 
temperature  or  pressure  data  requires  further  investigation.  Jacket  water, 
lube  oil,  air  manifold,  raw  water,  fuel  oil  and  exhaust  temperatures  and 
pressures  should  remain  relatively  constant  for  any  given  load.  Changes 
in  temperatures  or  pressures  or  differentials  in  temperatures  or  pressures 
generally  means  a  change  in  operating  condition  of  the  engine  and  the 
causes  should  be  determined. 

i.  Surveillance  tests  loading  should  always  be  the  same  to  provide  for 
comparison  of  engine  operating  data  and  determine  if  preventive 
maintenance  is  required. 

Quarterly 

1 .  All  preceding  instruction. 

2.  Service  all  the  auxiliaries,  such  as  the  starting  air  compressor,  lube  oil  filter  and 

strainer  as  required  and  check  the  condition  of  the  air  inlet  filters. 

3.  Sample  the  jacket  water  for  the  required  level  of  treatment. 
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4.  Sample  the  lube  oil  for  condition  and  contaminates.  Check  and  add  approved  oil 
as  required  to  the  alternator  bearing,  governor  and  turbochargers. 

5.  Check  all  pump  seals  for  excessive  leakage. 

6.  Check  and  observe  engine  during  starting  for  air  leakage  in  piping,  servo  and 
controls. 

7.  Sample  check  rockers.  Remove  rocker  box  cover,  check  for  proper  lubrication, 
tappet  clearance  and  confirm  no  water  is  leaking  into  the  rocker  arm  compartment. 

8.  Thoroughly  clean  engine  room. 

Annual/Refuel:  (1  year  -- 18  months) 

1.  All  preceding  instructions. 

2.  Remove  and  check  injection  no2zles  for  operation  and  opening  pressure. 

3.  Remove,  disassemble,  clean  and  repair  all  air  start  valves  and  air  start  distributors. 
Clean/replace  air  start  distributor  filter. 

4.  Drain  and  refill  governor  and  turbochargers  with  approved  oil. 

5.  Drain,  flush  and  refill  outboard  bearing  with  approved  oil. 

6.  Check  tightness  on  all  foundation  block  to  base,  oil  and  water  line  bolts. 

7.  Check  sample  of  rocker  lube  oil  for  condition  and  contaminants. 

8.  Check  turbocharger  inlet  casing  and  turbo  casing  water  passages  for  scale.  The 

inside  surface  of  these  casings  is  the  best  indication  for  adequacy  of  water 
treatment. 

9.  Check  for  tightness  of  exhaust  manifold  flange  bolts  to  cylinder  head  (165- 
196  ft.lbs.). 

10.  Check  all  safety  and  shutdown  controls  for  appropriate  pressures  and 
temperatures. 

1 1 .  Borescope  all  cylinder  liners. 

12.  Inspect  Ae  crankcase  end  of  all  cylinder  liners. 

1 3 .  Check  main  bearing  cap  tightness  (9950- 1 1 00  psi  hydraulic)  and  side  bolts 
(heimmer  tight).  Alternately  confirm  cap  tightness  to  frame  and  saddle  to  .0015 
feeler  gauge. 

14.  Visually  examine  gear  train  and  drives,  cam  shafts  and  bearing,  push  rods  and 
rocker  arms. 

1 5 .  Check  crankshaft  alignment  and  bearing  clearances. 

16.  Check  connecting  rod  bearing  clearances  with  feeler  gauge. 

17.  Inspect  all  ledges  and  comers  in  crankcase  for  debris  which  could  indicate  other 
mechanical  problems.  Confirm  all  cotters,  safety  wire  and  lock  tabs  are  in  place 
and  tight. 

18.  Water  test  engine  and  inspect  for  internal  and  external  leaks.  Isolate  J.W.  surge 
tank  and  test  entire  system  at  40  psi.  After  engine  is  returned  to  operation  and  has 
reached  normal  operating  temperature,  remove  each  rocker  cover  and  inspect  for 
water  leaks  at  top  area  of  cylinder  head. 

1 9.  Check  alternator  coils  and  poles  for  indication  of  movement  (visual). 

20.  Drain  and  refill  alternator  bearing  lube  sump.  If  oil  has  contaminants,  pull 
bearing  cap  and  inspect  journal. 
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2 1 .  Inspect  and  clean  (if  required)  overspeed  trip  mechanism.  Check  operation 

according  to  overspeed  trip  test  instructions. 

Biannually  (2-3  years) 

1 .  All  preceding  instructions. 

2.  Gear  Train 

a.  Check  backlash  (.2  -  .4  mm/  .008  -  .016  inches). 

b.  Check  camshaft  flexible  drive  locking  plate  capscrews  for  indication  of 
loosening  (sheared  locks).  Tighten  and  relock  if  required. 

3.  Check  fuel  control  linkage  roll  pins  for  tightness.  Replace  worn  parts. 

4.  Remove  one  pair  of  exhaust  valve  cage  assembly,  inspect  and  repair  if  required. 
It  is  recoimnended  that  the  valve  selection  be  made  by  the  serviceman  and  based 
on  engine  operating  data. 

The  above  recommendations  are  basic  and  may  be  altered  dependent  upon  site 
experience.  Deletions  and/or  additions  may  be  made  depending  upon  site  operating 
history.  The  five  year  inspection  should  be  reviewed  with  the  factory. 
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Appendix  C  -  Millstone  Unit  3  EDG  System  Basic  Events  and 
Fault  Tree 


The  following  material  is  a  summary  of  the  fault  tree  information  used  in  the 

Probabilistic  Risk  Assessment  of  Millstone  3  [50]. 

Table  C.l  includes  a  listing  of  the  basic  events  which  are  used  in  the  MP-3  fault 
tree.  Each  basic  event  description  is  accompanied  by  its  corresponding  rate,  exposure, 
and  probability  of  occurance. 

Figure  C.l  includes  those  segments  of  the  Millstone  3  EDG  system  fault  tree  that 
are  affected  by  changes  to  the  EDG  refueling  outage  inspection.  A  complete  fault  tree 
can  be  located  in  Dulik’s  report[3]. 
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Description 

BATTERY  CHARGER  1  FAILS  DURING  OPERATION 


DC  PANEL  301 A-1  BUS  FEED  BREAKER  FAILS  TO  REMAIN  CLOSED 


DC  PANEL  301  A-1  BUS  FEED  BREAKER  FAILS  TO  REMAIN  CLOSED _ 

METAI.  ENCLOSED  DC  BUS  3Q1A1  BUS-TQ-TO-GROUND  SHORT 


LOSS  OF  OFFSITE  POWER  _ _ _ _ 


(INIT)  EXPANSION  JOINT  EXJl  A  RUPTURES _ 

(INIT)  EXPANSION  JOINT  EXJ 1 C  RUPTURES 
(INIT)  MOTOR  OPERATED  VALVE  V102A  FAILS  TO  REMAIN  OPEN 
(INIT)  MOTOR  OPERATED  VALVE  VI02C  FAILS  TO  REMAIN  OPEN 
(INIT)  CCF  OF  SERVICE  WATER  PUMPS  *  A^  AND  ^C’  FAILS  TO  RUN 
(INIT)  SERVICE  WATER  PUMP  SWPIA  FAILS  TO  RUN 

(INIT)  SERVICE  WATER  PUMP  SWPIC  FAILS  TO  RUN _ 

SERVICE  WATER  OUTLET  VALVE  AOV39A  FAILS  TO  OPEN  ON 

DEMAND  _ _ _ 

BUS  FEED  BREAKER  32TI-2  FAILS  TO  REMAIN  CLOSED 


BUS  FEED  BREAKER  32T4-2  FAILS  TO  REMAIN  CLOSED _ 


BUS  FEED  BREAKER  32T6-2  FAILS  TO  REMAIN  CLOSED _ _ 


34A  TO  34C  BUS  TIE  BREAKER  34C-1T-2  FAILS  TO  OPEN  ON  DEMAND 


BUS  FEED  BREAKER  34C3-2  FAILS  TO  REMAIN  CLOSED _ 


TRANSFER  PUMP  *PIA  ‘42  BREAKER’  FAILS  TO  CLOSE _ _ 


TRANSFER  PUMP  *PIC  ‘42  BREAKER’  FAILS  TO  CLOSE _ 


BUS  FEED  BREAKER  TO  34C  AUX  CIRCUIT  FAILS  TO  REMAIN  CLOSED 


42  BREAKER’  FOR  *FN1A  FAILS  TO  CLOSE  ON  DEMAND _ 


42  BREAKER’- FOR  ♦FNIC  FAILS  TO  CLOSE  ON  DEMAND _ _ 


DIESEL  GENERATOR  A  OUTPUT  BREAKER  FAILS  TO  CLOSE  ON 

DEMAND  _ _ _ _ 

FAILURE  TO  SHED  MAJOR  EQUIP.  LOADS  (BREAKER  FAILS  TO  OPEN) 


METAL  ENCLOSED  AC  BUS-TO-GROUND  SHORT  (BUS  32T) _ _ 


METAL  ENCLOSED  AC  BUS-TO-GROUND  SHORT  (BUS  34C)  _ 


Exposure  Probability 


7.000e-06  I  8760  6.I32c-02 


L520e-06  8760  I.332e-02 


I.520e-06  I  8760  |  L332e-02 


2.000e-07  1  8760  |  1.752e-03 


I.OOOe+OO  I  0.041  4.100e-02 


8.480e-08  I  8760  |  7.428e-04 


8.480e-08  8760  7.428e-04 


I.400e-07  I  8760  |  I.226e-03 


1.400e-07  8760  1 .2266-03 


3.2006-05  I  876  |  2.8036-02 


3.2006-05  1  8760  2.803e-02 


3.2006-05  I  8760  2.8036-02 


2.0006-03  I  1  2.0006-03 


1.5206-06  I  24  3.6486-05 


L520e-06  I  24  3.6486-05 


1.5206-06  24  3.6486-05 


1.580e-04  6  9.4806-04 


I.520e-06  24  3.6486-05 


3.3806-04  1  3.3806-04 


3.3806-04  1  1  3.3806-04 


1.5206-06  24  3.6406-05 


3.3806-04  1  3.3806-04 


3.3806-04  1  3.3806-04 


3.3806-04  I  3.3806-04 


28 

29 

30 

■ 

31 

■ 

32 

( 

33 

( 

34 

1 

35 

I 

36 

i 

37 

( 

38 

1 

1 

39 

■ 

40 

■ 

41 

( 

42 

n 

43 

] 

:-04  30 


1-07  24 


!-07  24 


:-07 


EDG  LOAD  SEQUENCER  ‘A’  FAILS  ON  DEMAND 


FAN  UNIT  ♦FNl  A  FAILS  TO  RUN 


FAN  UNIT  *FN1A  FAILS  TO  START 


FAN  UNIT  *FNl  A  OUT  OF  SERVICE  FOR  MAINTENANCE 


FAN  UNIT  *FNIC  FAILS  TO  RUN 


FAN  UNIT  ♦FNIC  FAILS  TO  START 


FAN  UNIT  *FN1C  OUT  OF  SERVICE  FOR  MAINTENANCE 


FUSE  VIACl  FAILS  TO  REMAIN  CLOSED 


DC  TO  AC  POWER  INVERTER-I  FAILS  DURING  OPERATION 


1.6406-02 


4.0006-03 


4.0006-03 


4.0006-03 


4.0006-03 


l.OOOe+00 


7.890e-06 


4.8406-04 


5.6606-04 


7.890e-06 


4.8406-04 


5.660e-04 


5.0006-07 


2.0006-05 


7.5806-04 


24 


1 


I 


24 


I 


4.7406-03 


4.8006-06 


4.8006-06 


4.8006-06 


4.8006-06 


4.800e-06 


8.1006-04 


8.1006-04 


8.1006-04 


8.1006-04 


8.1006-04 


8.1006-04 


8.1006-04 


l.lOOe-02 


1.6406-02 


4.0006-03 


4.0006-03 


4.0006-03 


4.0006-03 


7.5806-04 


1.8946-04 


4.8406-04 


5.660e-04 


L894e-04 


4.8406-04 


5.660e-04 


1.2006-05 


4.8006-04 
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Description 

LEVEL  SWITCH  LS40A  FAILS  TO  OPERATE  (LOW  DAY  TANK  LEVEL) 
LEVEL  SWITCH  LS41A  FAILS  TO  OPERATE  (LOW-LOW  DAY  TANK 

LEVEL) _ _ _ _ _ _ _ 

FT  IFT  Oil .  TRANSFER  PUMP  *P1  A  FAILS  TO  RUN _ _ _ 


FUEL  OIL  TRANSFER  PUMP  *P1  A  FAILS  TO  START _ _ 

FT  IFT  ■  on .  TRANSFER  PUMP  *P  1 C  FAILS  TO  RUN 


FUEL  OIL  TRANSFER  PUMP  ♦PIC  FAILS  TO  START  _  _ _ 


RELAY  COIL  27 Y2  FAILS  TO  ENERGIZE _ _ _ 


RELAY  COIL  27R  FAILS  TO  DEENERGIZE _ _ _ 


RELAY  COIL  62V  FAILS  TO  ENERGIZE _ _ _ 


RELAY  COIL  62W  FAILS  TO  ENERGIZE _ _ _ 


RELAY  COIL  62Y  FAILS  TO  ENERGIZE _ _ _ 


FUEL  OIL  STORAGE  TANK  TKIA  RUPTURES _ _ _ 


FUEL  OIL  DAY  TANK  TK2A  RUPTURES _ _ _ 


TRANSFORMER  34C3-1X  FAILS  TO  OPERATE _ _ _ 


TEMPERATURE  SWITCH  TS32A  FAILS  TO  OPERATE _ _ 


CCF  •  SW  AIR  OPERATED  VALVES  ♦39A,  B  FAIL  TO  OPEN  ON  DEMAND 
CCF  OF  DGs  TO  START  ON  DEMAND  (INCLUDES  FAILURE  TO  RUN)"^ 
CCF  TO  RUN  OF  TRANSFER  PUMPS  ♦PIA  AND  *P1C 


CCF  TO  START  OF  TRANSFER  PUMPS  ♦PI  A  AND  *P1C _ _ 


DC  PANEL  30IA-IA  BUS  FEED  BREAKER  FAILS  TO  REMAIN  CLOSED 


nc  PANEL  301  A>IB  BUS  FEED  BREAKER^LS  TO  REMAIN  CLOSED 


DC  PANEL  3Q1A-1  BUS  FEED  BREAKER  FAILS  TO  REMAIN  CLOSED 


DC  BUS  301 A-1  FEED  BREAKER  TO  INVl  FAILS  TO  REMAIN  CLOSED 
~  METAL  ENCLOSED  DC  BUS-TO>GROUND  SHORT  (DC  PANEL  301 A-1) 

'  METAL  ENCLOSED  DC'BUS  30 1  A-1  A  BUS-TO-GROUND  SHORT 
'  METAL  ENCLOSED  DC  BUS  3Q1A-1B  BUS-TO-GROUND  SHORT 
~  STORAGE  BATTERY  301  A-1  FAILS  TO  PROVIDE  OUTPUT  ON  DEMAND" 
"  -42  BREAKER*  FOR  VENTILATION  UNIT  HVY*FN2A  FAILS  TO  CLOSE~ 
AIR  OPERATED  DAMPER  *23  A  FAILS  TO  OPEN 
'  VENTILATION  UNIT  HVY*FN2A  FAILS  TO  RUN 
"  VENTILATION  UNIT  HVY*FN2A  FAILS  TO  START 
■  TEMPERATURE  SWITCH  TS60A  FAILS  TO  OPERATIE 
"  CCF  ■  AIR  OPERATED  DAMPERS  *23 A  AND  *23B  FAIL  TO  OPEN 
'  CCF -VENTILATION  UNITS  HVY*FN2A,FN2B  FAIL  TO  RUN 
'  CCF  >  VENTILATION  UNITS  HVY*FN2A,  FN2B  FAIL  TO  START 


NOT  SUMMER  OPERATION  _ 

’  PUMP  SWP*P1  A  START  CIRCUIT  BREAKER  FAILS  TO  CLOSE  ON 

DEMAND  _ 

"  PUMP  SWP*P1C  START  CIRCUIT  BREAKER  FAILS  TO  CLOSE  ON 
DEMAND  _ 


t  BUS  FEED  BREAKER  FOR  V1Q2A  FAILS  TO  CLOSE  ON  DEMAND 


1  BUS  FEED  BREAKER  FOR  V102C  FAILS  TO  CLOSE  ON  DEMAND _ 


I  PUMP  *A’  CONTACT  PAIR  52S  53-54  FAILS  TO  CLOSE _ 


I  PUMP  'C^  CONTACT  PAIR  52S  53-54  FAILS  TO  CLOSE _ 


I  LOW  HEADER  PRESSURE  CONTACT  PAIR  63X12  FAILS  TO  CLOSE 
LOW  HEADER  PRESSURE  CONTACT  PAIR  63X56  FAILS  TO  CLOSE 


PUMP  ‘C’  LUBRICATION  FAILS  (CHECK  VALVE  -  768  FAILS  TO  OPEN) 


PUMP  ‘A’  LUBRICATION  FAILS  (CHECK  VALVE  -  769  FAILS  TO  OPEN) 


CHECK  VALVE  P1A*V7  FAILS  TO  OPEN  ON  DEMAND  _ 


CHECK  VALVE  P1C*V5  FAILS  TO  OPEN  ON  DEMAND  _ _ 


MOTOR  OPERATED  VALVE  V102A  FAILS  TO  OPEN  ON  DEMAND _ 


MOTOR  OPERATED  VALVE  V102C  FAILS  TO  OPEN  ON  DEMAND 


SERVICE  WATER  PUMP  SWPl  A  OOS  FOR  MAINTENANCE  _ 


2.500e-05 


2.000e-03 


2.500e-05 


2,000e-03 


LOOOe-04 


LOOOe-04 


LOOOe-04 


LOOOe-04 


LOOOe-04 


LOOOe-07 


LOOOe-07 


L200e-06 


2.000e-04 


2.000e-03 


L640e*02 


2.500e-05 


2.000e-03 


L520e-06 


L520e-06 


L520e-06 


L520e-06 


I  2,000e-07 


2.000e-07 


2.000e-07 


5.000e-04 


3.380e-04 


2.000e-03 


7.890e-06 


4.840e-04 


2.000e-04 


2.000e-03 


7.890e-06 


4.840e-04 


LOOOe+00 


3.380e-04 


3.380e-04  I  1 


3.380e-04 


3.380e.04 


L350e-04 


L350e-04 


L350e-04 


L350e-04 


2.000e-04 


2.000e-04 


2.000e-04 


2.000e-04 


4.000e-03 


4.000e-03 


LlOOe-02 


Probability 


LOOOe  -05 


LOOOe-05 


6.000e-04 


2.000e-03 


6.000e-04 


2.000e-03 


6.000e-04 


6.000e-04 


6,000e-04 


6.000e-04 


6.000e-04 


2.400e-06 


2.400e-06 


2.880e-05 


2.000e-04 


L360e-04 


L115e-03 


6.000e-05 


2.000e-04 


3.648e-05 


3.648e-05 


3.648e-05 


3.648e-05 


4.800e-06 


4.800e-06 


4.800e-06 


5.000e-04 


3.380e-04 


2.000e-03 


L894e-04 


4.840e-04 


2.000e-04 


L360e-04 


L894e-05 


4.840e-05 


7.500e-01 


3.380e-04 


3.380e-04 


3.380e-04 


3.380e-04 


L782e-02 


L782e-02 


L782e-02 


L782e-02 


2.000e-04 


2,000e-04 


2.000e-04 


2.000e-04 


4.000e-03 


4.000e-03 


LlOOe-02 
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Table  C.l  Basic  Events  (continued) 


Event 

# 

Description 

Rate 

Exposure 

Probability 

104 

SERVICE  WATER  PUMP  S WP 1 A  FAILS  TO  RUN 

3.200e-05 

24 

7.680e-04 

105 

SERVICE  WATER  PUMP  SWPl A  FAILS  TO  START  ON  DEMAND 

2.400e-03 

I 

2.400e-03 

106 

SERVICE  WATER  PUMP  SWPIC  OOS  FOR  MAINTENANCE 

9.000e-04 

1 

9.000e-04 

107 

SERVICE  WATER  PUMP  SWPIC  FAILS  TO  RUN 

3.200e-05 

24 

7.680e-04 

108 

SFRVICE  WATER  PUMP  SWPIC  FAILS  TO  START  ON  DEMAND 

2.400e-03 

1 

2.400e-03 

109 

SERVICE  WATER  TRAIN ‘A’ PUMP ‘A’ IN  LEAD 

l.OOOe+00 

5.000e-01 

110 

SERVICE  WATER  TRAIN  ‘A’  PUMP  ‘C’  IN  LEAD 

l.OOOe+OO 

0.5 

5.000e-01 

111 

PRESSURE  SWITCH  PS27A  FAILS  TO  OPERATE 

2.000e-04' 

132 

2.640e-02 

112 

rCF  OF  CHECK  VALVES  V5  AND  V7  FAILS  TO  OPEN  ON  DEMAND 

2.000e-04 

0.068 

1.360e-05 

113 

CCF  OF  LUBE  LINE  CHECK  VALVES  V768  AND  V769  TO  CLOSE 

2.000e-04 

0.068 

1.360e-05 

114 

■  CCF  OF  ALL  '4  LUBE  LINE  CHECK  VALVES  TO  OPEN 

2.000e-04 

0.00029 

5.800e-08 

115 

CCF  OF  ALL  4  DISCHARGE  CHECK  VALVES  TO  OPEN 

2.000e-04 

0.00029 

5.800e-08 

116 

CCF  OF  MOTOR  OPERATED  VALVES  I02A  AND  102C  FAILS  TO  OPEN  ON 
DEMAND 

4.000e-03 

0.068 

2.720e-04 

117 

CCF  OF  ALL  4  DISCHARGE  MOTOR  OPERATED  VALVES  TO  OPEN 

4.000e-03 

0.00029 

1.160e-06 

118 

CCF  OF  ALL  4  SERVICE  WATER  PUMPS  TO  START 

2.400e-03 

0.0022 

5.280e-06 

119 

CCF  OF  SERVICE  WATER  PUMPS  ‘A’  AND  ‘C’  FAIL  TO  RUN 

3.200e.05 

2.4 

7.680e-05 

120 

CCF  TO  START  OF  SW  PUMPS  ‘A’  AND  ‘C’ 

2.400e-03 

0.1 

2.400e-04 

121 

OPERATOR  FAILS  TO  START  FOLLOW  PUMP 

l.OOOe+OO 

0.01 

1  .OOOe-02 

Table  C.l  Basic  Events  (continued) 
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Figure  C.l  MP-3  EDG  Fault  Tree 
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